rsmudge

# demonstrate how to add a popup handler to a Swing component in Sleep

import java.awt.*;

import javax.swing.*;
import javax.swing.event.*;

# safely add a listener to show a popup
sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.

Darkbat91

<#
.SYNOPSIS
	Audits weak service permissions
.DESCRIPTION
	Views Services on computer and return all weak permissions that are present
.NOTES	
    Author: Micah
    Creation Date: 20170329
    Last Modified: 20170329
    Version: 0.0.1

ryhanson

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

rsmudge

# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.