This is to try and document the behaviour around PowerShellGet/PSResourceGet code signing publisher behaviour.
The following code can be used to set up this scenario. This must be run as an administrator in Windows PowerShell.
Note: PowerShell uses implicit remoting for the New-SelfSignedCertificate which breaks the constains serialization. You must run this on Windows PowerShell.
This is to try and document the behaviour around PowerShellGet/PSResourceGet code signing publisher behaviour.
The following code can be used to set up this scenario. This must be run as an administrator in Windows PowerShell.
Note: PowerShell uses implicit remoting for the New-SelfSignedCertificate which breaks the constains serialization. You must run this on Windows PowerShell.
| filter ThrowStdOutErrors($messageFilter,[Parameter(ValueFromPipeline)]$obj) { | |
| if ($obj -is [Management.Automation.ErrorRecord]) { | |
| if ($obj -match $messageFilter) { | |
| throw $obj | |
| } else { | |
| Write-Error $obj | |
| return | |
| } | |
| } | |
| $obj |
| using namespace System.Management.Automation | |
| using namespace Microsoft.PowerShell.Commands | |
| function Write-FunctionError { | |
| <# | |
| .SYNOPSIS | |
| Writes an error within the context of the containing CmdletBinding() function. Makes error displays prettier | |
| .NOTES | |
| ScriptStackTrace will still show Write-FunctionError, so its not completely transparent. There's no way to "edit" or "replace" this stacktrace that I can find. | |
| .EXAMPLE | |
| function test { |
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
| #requires -version 7 | |
| #You can load this script with $(iwr https://tinyurl.com/TraceAICommand | iex) | |
| using namespace Microsoft.ApplicationInsights | |
| using namespace Microsoft.ApplicationInsights.Extensibility | |
| using namespace Microsoft.ApplicationInsights.DataContracts | |
| using namespace System.Management.Automation | |
| using namespace System.Collections.Generic | |
| using namespace System.Net | |
| #Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/console |
| # Taken from : https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py | |
| function Start-WebcamRecorder | |
| { | |
| <# | |
| .SYNOPSIS | |
| This function utilizes the DirectX and DShowNET assemblies to record video from the host's webcam. | |
| Author: Chris Ross (@xorrior) | |
| License: BSD 3-Clause | |
| .DESCRIPTION | |
| This function will capture video output from the hosts webcamera. Note that if compression is available, there isn't |
| using System; | |
| using System.IO; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| using System.Runtime.InteropServices; | |
| namespace ByteArrayExec | |
| { |
| $WMI = @{ | |
| Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True" | |
| Action = { | |
| #$Global:Data = $Event | |
| Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")" | |
| } | |
| Namespace = 'root\microsoft\windows\defender' | |
| SourceIdentifier = "Defender.DisableRealtimeMonitoring" | |
| } | |
| $Null = Register-WMIEvent @WMI |
**Securing your Azure and Sendgrid accounts with Two Factor Authentication (2FA) is recommended. 2FA will not have an effect on how the Azure function or Sendgrid API works.
