Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

Discussion in 'Scripting' started by AveYo, May 7, 2021.

  1. Dark Vador

    Dark Vador X Æ A-12

    Feb 2, 2011
    4,694
    6,929
    150
    #201 Dark Vador, Aug 1, 2025 at 18:48
    Last edited: Aug 1, 2025 at 18:55
    Any one was look in aveyo script's lately
    actualy its very smart script.
    it make payload, run payload as administator -> run payload as TI, run user command
    very smart idea, look like registry / com hijacking :D
    and weird, i can say, don't use duplicate token etc etc (like other script's)
    Code:
    <#
     The privilege escalation process is 3 step's operation:
     * Setup the Payload (and Initial Trigger)
     * Run Payload Script as Administrator
     * Run Payload Script as TI/SYSTEM
     * Start User Command Under TI/SYSTEM Privileges
     ----> Type OF COM hijacking -->
    #>
    
    function RunAsTI ($cmd) {
        $id='RunAsTI';
        $sid=((whoami /user)-split' ')[-1];
        $payload=@'
    $ti=(whoami /groups)-like"*1-16-16384*";
    $DM=[AppDomain]::CurrentDomain."DefineDynamicAssembly"(1,1)."DefineDynamicModule"(1)
    $D=@();
    0..5|% {$D+=$DM."DefineType"("M$_",1179913,[ValueType])};
    $I=[int32];
    $P=$I.module.gettype("System.IntPtr");
    $U=[uintptr]
    $D+=$U;
    4..6|% {$D+=$D[$_]."MakeByRefType"()};
    $M=$I.module.gettype("System.Runtime.InteropServices.Marshal");
    $Z=[uintptr]::size
    $S=[string];
    $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
    0..2|% {$9=$D[0]."DefinePInvokeMethod"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
    $DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
    1..5|% {$k=$_;
    $n=1;
    $AveYo=1;
    $DF[$_]|% {$9=$D[$k]."DefineField"('f'+$n++,$_,6)}};
    $T=@();
    0..5|% {$T+=$D[$_]."CreateType"()}
    0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force};
    function F ($1,$2) {$T[0]."GetMethod"($1).invoke(0,$2)};
    if ($ti) {
        $env:A='';
        $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMethods"(42) |? {$_.Name -eq "SetPrivilege"}
        "SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
        $HKU=[uintptr][uint32]2147483651;
        $LNK=$HKU;
        $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9]));
        F "RegOpenKeyEx" $reg;
        $LNK=$reg[4]
        function SYM($1,$2){
            $b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length)
        }
        F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK);
        $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
        $r="explorer";
        if (!$cmd) {$cmd='C:\'};
        $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1
    
        # Start User Command Under TI/SYSTEM Level
        if (!$dir) {$r="start `"$id`" /high /w"};
    
        sp $EXP RunAs '' -force;
        start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1
        do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"}))
        F "RegSetValueEx" (SYM ".Default" $LNK);
        sp $EXP RunAs "Interactive User" -force
    }
    else {
        $g=0;
        "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null;
        $g=@(get-process -name $_ -ea 0|% {$_})[0]}};
        function M($1,$2,$3){$M."GetMethod"($1,[type[]]$2).invoke(0,$3)};
        $H=@();
        $Z,(4*$Z+16)|% {$H+=M "AllocHGlobal" $I $_};
        M "WriteIntPtr" ($P,$P) ($H[0],$g.Handle);
        $A1.f1=131072;
        $A1.f2=$Z;
        $A1.f3=$H[0];
        $A2.f1=$A2.f2=$A2.f3=$A2.f4=1;
        $A2.f6=$A1
        $A3.f1=10*$Z+32;
        $A4.f1=$A3;
        $A4.f2=$H[1];
        M "StructureToPtr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false);
        $w=0x0E080600
    
        # Run PayLoad script as TI/SYSTEM
        $out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,$A4,$A5);
        F "CreateProcess" $out
    }
    '@;
        $key="Registry::HKEY_USERS\$sid\Volatile Environment";
        $a1="`$id='$id';`$key='$key';";
        $a2="`$cmd='$($cmd-replace"'","''")';"
        sp $key $id $($a1,$a2,$payload) -type 7 -force;
        $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join''; rp `$key `$id -force; iex `$env:A"
    
        # Setup a Payload & RunAs Administrator
        start powershell -args "-win 1 -nop -c $arg" -verb runas
    };
    RunAsTI "cmd /k whoami";
    
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...