KyleHanslovan
/ DomainEnumeration.bat
Created Jun 25, 2016
Post-exploitation host/domain survey using native Windows commands.
View DomainEnumeration.bat
| whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 |
KyleHanslovan
/ WMIPersistence.mof
Created Jun 8, 2016
VBS based ActiveScriptEventConsumer useful for launching applications at startup as SYSTEM.
View WMIPersistence.mof
| /* | |
| Author: Kyle Hanslovan | |
| Contact: @KyleHanslovan | |
| License: MIT | |
| Date: 07/18/2014 | |
| */ | |
| #PRAGMA NAMESPACE ("\\\\.\\root\\subscription") | |
| instance of ActiveScriptEventConsumer as $Consumer |
KyleHanslovan
/ DeleteNullRegValue.py
Created Jun 3, 2016
View DeleteNullRegValue.py
| from ctypes import * | |
| from ctypes.wintypes import * | |
| import winreg | |
| NTSTATUS = c_long | |
| PVOID = c_void_p | |
| PWSTR = c_wchar_p | |
| OBJ_CASE_INSENSITIVE = 0x00000040 |
KyleHanslovan
/ CreateNullRegValue.py
Created Jun 3, 2016
Script which uses Native APIs to create a "hidden" registry value similar to Powerliks and Kovter malware.
View CreateNullRegValue.py
| from ctypes import * | |
| from ctypes.wintypes import * | |
| import winreg | |
| NTSTATUS = c_long | |
| PVOID = c_void_p | |
| PWSTR = c_wchar_p | |
| OBJ_CASE_INSENSITIVE = 0x00000040 |