This is a short post about nps_payload, an open source, python script that helps you create basic payloads that help you avoid or bypass intrusion detection systems. This is a mix of @ben0xa‘s Not PowerShell (nps) frameworks and some features of @HackingDave’s unicorn tool. As you know, Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory and the Not PowerShell toolkit allows you to encrypt and drop binaries.
As with most offensive tools now-a-days, nps_payload leverages the Metasploit meterpreter and msfvenom to generate custom, PowerShell and HTA payloads, which are inserted into the msbuild_nps.xml file and leverage Not PowerShell (nps) to execute the payload when msbuild.exe runs the file. Understandably, the following payloads on Windows are supported:
Custom PowerShell payload
The open source, Python script also takes care of generating the related Metasploit console resource (msbuild_nps.rc) file. The generated msbuild_nps.xml file can then be executed using msbuild.exe locally or by storing it on a Samba share.
Download the current version of nps_payload v1.02 here.