October 19, 2016 Karn Ganeshen

New Powershell Mass Encrypt and Decrypt modules

New Powershell Mass Encrypt and Decrypt modules

https://github.com/juushya/Scripts/blob/master/PS-MassEncScript.ps1
https://github.com/juushya/Scripts/blob/master/PS-DecScript.ps1

These scripts are sourced from / wrappers around PowerSploit’s Out-Encrypted.ps1 script.

PowerSploit’s Out-Encrypted.ps1 handles / encrypts one script at a time; encrypted file needs to be decrypted manually and then executed.

Using PS-MassEncScript.ps1, encrypt multiple scripts with a password and a salt value, in one go.

Move the encrypted files over to the target / compromised box. Since these files are encrypted, AV / IPS are no good – at least as of now.

Use PS-DecScript.ps1 to decrypt & execute any of these encrypted files.

See the example script runs below:

+++++
On Attacker’s box


Normally, an AV will immediately flag these scripts, remove and / or block script execution.


Encrypt these scripts using PS-MassEncScript.

As you see above, the output encrypted scripts will be appended with a _evil suffix.

On the victim box:

Assuming you already have a cmd shell access, move these encrypted files on the victim box.

Format:

+++++
Tagged: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *