Phrozen Timeline

Power Remote Desktop is a fully functional Remote Desktop Application entirely coded in PowerShell.

It doesn't rely on any existing Remote Desktop Application or Protocol to function. A serious advantage of this application is its nature (PowerShell) and its ease of use and installation.

This project demonstrate why PowerShell contains the word Power. It is unfortunately often an underestimated programming language that is not only resumed to running commands or being a more fancy replacement to the old Windows command-line interpreter (cmd).



Read more...

PowerRunAsAttached is a ported version of RunAsAttachedLocal in Powershell with inline CSharp.

This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).

One possible example is that this tool gives you with ease the possibility to do vertical / horizontal privilege escalation through your already established Netcat / WinRM session.



Read more...

PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell

⚠️ Notice: this version is slower than WinBruteLogon but has the serious advantage of being 100% entirely coded in PowerShell. In a near future, password attempts will be distributed to separate threads to speed up the process. Also keep in mind that this method is very noisy, each failed attempt will get logged on Microsoft Windows Event Logs.

You might find useful information about the technique used in this PoC here



Read more...

PowerAssembly

Map in current PowerShell Instance Memory .NET Assemblies from remote web server.

When Assembly is mapped, you can invoke it's main with a command line argument.

The advantage of this technique is to avoid having assemblies written on disk. Everything happens in memory.

I'm using this script during my penetration tests / labs right after getting an initial shell on Windows to load other .NET Tools (Ex: ShapHound, ShapUp etc..)



Read more...

InnoSetup Execute Shellcode PoC

This proof of concept demonstrate how to take advantage of InnoSetup Scripting Engine to host local/remote process shellcode payload then execute.

The idea behind this concept is to demonstrate the dangerosity of (self) installers. Not only they can contain malicious programsn, they can also run native code through their scripting engines and evade AV detections because of their natural aspect.

The most difficult part was to understand how to use pointers/refs. Basically from this example, it is possible to create any kind of Malware from scratch (even more complex ones). Feel free to try, if you have any technical questions, feel free to ask for some help.



Read more...

This code snippet demonstrate how Malware authors take advantage of certain Windows API's to detect the presence of Windows Services that might indicate the presence of Virtualization Technologies and/or Sandbox in order to adapt their behavior and escape detection.

Read more...

This technique is often used by Malware to hide their presence on system after execution. The application self-delete after the end of its execution. The best method to archive a such goal is through process injection.

Read more...

ADS (Alternate Data Stream) is a channel often abused by Malware authors to hide files by abusing the property of NTFS File Systems.

It is mainly used to store: additional payloads, collected data or settings.

An ADS file is completely hidden from explorer. In modern version of Windows, you can display ADS files using the command dir /r or through using third part tools.

Read more...

NASM Shell++ is an enhanced version of the Metasploit Framework NASM Shell.

You can edit instructions, specify bad characters and finally export your final payload in Python, C or CPP

Read more...

This tool will help you to find code caves in target x86-32 bit Microsoft Windows PE files.

This tool automatically patch application entry point to redirect code execution to chosen code cave, where your payload is stored. When payload execution is over, code execution is redirected back to original program entry point.

Code Cave Helper supports main section encryption.

This tool is considered as a PoC, it was created during my preparation for OSCE Certification in order to master the art of Backdooring PE Files.

A good improvement would be to support x86-64 bit files and offer an option to create a new section instead of searching for natural code caves.

Read more...