c:\Windows\ccm\inventory\noidmifs
c:\Windows\ccm\logs
c:\Windows\ccm\systemtemp\appvtempdata\appvcommandoutput
Oddvar Moe api0cradle
api0cradle
/ Backdoor-Minimalist.sct
Last active
April 30, 2021 13:07
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
api0cradle
/ cobaltstrike_sa.txt
Last active
December 29, 2021 14:56
— forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
api0cradle
/ TestMSHTAShellcodeDelivery.ps1
Created
April 11, 2019 06:21
MSHTA Test For Defenders - hosts hta in PowerShell, connected remotely and execute.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta | |
| To change your server, simply find and replace 192.168.1.1 with your server in the code. | |
| #> | |
| <# | |
| Moving Credtis for CACTUSTORCH HERE | |
| I was in escape sequcence hell ;-) | |
| ' ( ) ( ) |
api0cradle
/ initial.cna
Created
February 20, 2019 20:37
— forked from rsmudge/initial.cna
How to automate Beacon to execute a sequence of tasks with each checkin...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Demonstrate how to queue tasks to execute with each checkin... | |
| # | |
| # | |
| # yield tells a function to pause and return a value. The next time the same instance of the | |
| # function is called, it will resume after where it last yielded. | |
| # | |
| sub stuffToDo { | |
| # Tasks for first checkin |
api0cradle
/ katz.cs
Created
August 1, 2018 06:51
Updated Katz.cs - Latest Mimikatz, I mean honestly it is 2018...
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
api0cradle
/ gist:7c774561d50dc50b67e072f49605f235
Created
November 3, 2017 07:23
— forked from trustedsec/gist:686057a1b8cdf3e580c57b211b263abe
List of applications for code execution via legit binaries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Rundll32.exe | |
| Regsvr32.exe | |
| Mshta.exe | |
| Msbuild.exe | |
| Cbd.exe | |
| Csc.exe | |
| Tracker.exe | |
| Ntsd.exe | |
| Bginfo.exe | |
| Kd.exe |
api0cradle
/ 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
Created
May 5, 2023 08:09
— forked from JohnLaTwC/38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
A very interesting DOCX no?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long |
api0cradle
/ AppLocker-Bypass-Folderperms-CCM.md
Last active
September 4, 2023 22:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| accesschk -w -s -u Users "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u Everyone "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u "Authenticated Users" "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u Interactive "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u "This Organization" "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u "Authentication authority asserted identity" "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u "Mandatory Label\Medium Mandatory Level" "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u %username% "C:\Program Files" >> programfiles.txt | |
| accesschk -w -s -u Users "C:\Program Files (x86)" >> programfilesx86.txt |
api0cradle
/ windows_hardening.cmd
Created
February 24, 2020 07:29
— forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: | |
| ::####################################################################### | |
| :: | |
| :: Change file associations to protect against common ransomware attacks | |
| :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell | |
| :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) | |
| :: --------------------- | |
| ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" |