Kyle Hanslovan KyleHanslovan
KyleHanslovan
/ DomainEnumeration.bat
Created Jun 25, 2016
Post-exploitation host/domain survey using native Windows commands.
View DomainEnumeration.bat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 |
KyleHanslovan
/ WMIPersistence.mof
Created Jun 8, 2016
VBS based ActiveScriptEventConsumer useful for launching applications at startup as SYSTEM.
View WMIPersistence.mof
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Kyle Hanslovan | |
| Contact: @KyleHanslovan | |
| License: MIT | |
| Date: 07/18/2014 | |
| */ | |
| #PRAGMA NAMESPACE ("\\\\.\\root\\subscription") | |
| instance of ActiveScriptEventConsumer as $Consumer |
KyleHanslovan
/ DeleteNullRegValue.py
Created Jun 3, 2016
View DeleteNullRegValue.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import * | |
| from ctypes.wintypes import * | |
| import winreg | |
| NTSTATUS = c_long | |
| PVOID = c_void_p | |
| PWSTR = c_wchar_p | |
| OBJ_CASE_INSENSITIVE = 0x00000040 |
KyleHanslovan
/ CreateNullRegValue.py
Created Jun 3, 2016
Script which uses Native APIs to create a "hidden" registry value similar to Powerliks and Kovter malware.
View CreateNullRegValue.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import * | |
| from ctypes.wintypes import * | |
| import winreg | |
| NTSTATUS = c_long | |
| PVOID = c_void_p | |
| PWSTR = c_wchar_p | |
| OBJ_CASE_INSENSITIVE = 0x00000040 |