This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# .SYNOPSIS | |
An example script that shows how to confues Windows about the identity of the creator process using NtCreateProcessEx and an initial thread inserted by some other process. | |
Most of the code shamelessly ripped from https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1 by Ruben Boonen (@FuzzySec), so be sure to theck this (and him) out. | |
Only tested on x64 Win10. | |
.DESCRIPTION | |
Author: Philip Tsukerman (@PhilipTsukerman) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
BOOL APIENTRY DllMain(HMODULE hModule, | |
DWORD ul_reason_for_call, | |
LPVOID lpReserved | |
) | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Lateral movement and shellcode injection via Excel 4.0 macros | |
Author: Philip Tsukerman (@PhilipTsukerman) | |
License: BSD 3-Clause | |
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM | |
#> | |
function Invoke-ExShellcode | |
{ | |
<# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#********************************************************************** | |
# Invoke-Excel4DCOM64.ps1 | |
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support | |
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason | |
# Date: 2019/04/21 | |
# Version: 1.1 | |
#********************************************************************** | |
function Invoke-Excel4DCOM | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Lateral Movement Via MSACCESS TransformXML | |
Author: Philip Tsukerman (@PhilipTsukerman) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
#> | |
function Invoke-AccessXSLT { | |
<# |