This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
TaskManagerSecret | |
Author: @splinter_code | |
This is a very ugly POC for a very unreliable UAC bypass through some UI hacks. | |
The core of this hack is stealing and using a token containing the UIAccess flag set. | |
A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html | |
From there it uses a task manager "feature" to run a new High IL cmd.exe. | |
This has been developed only for fun and shouldn't be used due to its high unreliability. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Export-MFT { | |
<# | |
.SYNOPSIS | |
Extracts master file table from volume. | |
Version: 0.1 | |
Author : Jesse Davis (@secabstraction) | |
License: BSD 3-Clause | |
.DESCRIPTION |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Linq; | |
using System.Runtime.CompilerServices; | |
using System.Net; | |
using System.Reflection; | |
using System.Runtime.InteropServices; | |
namespace Test | |
{ | |
// CCOB IS THE GOAT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _WIN32_WINNT 0x0502 | |
#define WINVER 0x0502 | |
#include <windows.h> | |
#include <errhandlingapi.h> | |
#include <process.h> | |
#include "beacon.h" | |
WINBASEAPI PVOID WINAPI KERNEL32$AddVectoredExceptionHandler (ULONG First, PVECTORED_EXCEPTION_HANDLER Handler); | |
DECLSPEC_IMPORT uintptr_t __cdecl MSVCRT$_beginthreadex(void *_Security,unsigned _StackSize,_beginthreadex_proc_type _StartAddress,void *_ArgList,unsigned _InitFlag,unsigned *_ThrdAddr); | |
DECLSPEC_IMPORT void __cdecl MSVCRT$_endthreadex(unsigned _Retval); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using AsmResolver; | |
using AsmResolver.PE; | |
using AsmResolver.PE.Code; | |
using AsmResolver.PE.File; | |
using AsmResolver.PE.File.Headers; | |
using AsmResolver.PE.Imports; | |
using AsmResolver.PE.Imports.Builder; | |
using AsmResolver.PE.Platforms; | |
using AsmResolver.PE.Relocations; | |
using AsmResolver.PE.Relocations.Builder; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <iostream> | |
#include <atlbase.h> | |
#include <Wuapi.h> | |
#include <wuerror.h> | |
#include <list> | |
#include <fstream> | |
#include <MsXml.h> | |
#include "atlbase.h" | |
#include "atlstr.h" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// TcbElevation - Authors: @splinter_code and @decoder_it | |
#define SECURITY_WIN32 | |
#include <windows.h> | |
#include <sspi.h> | |
#include <stdio.h> | |
#pragma comment(lib, "Secur32.lib") | |
void EnableTcbPrivilege(BOOL enforceCheck); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize ) | |
{ | |
#ifdef TRANSPORT_HTTP | |
HANDLE hConnect = NULL; | |
HANDLE hSession = NULL; | |
HANDLE hRequest = NULL; | |
DWORD HttpFlags = 0; | |
LPVOID RespBuffer = NULL; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
using System; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
namespace SCCMDecryptPOC | |
{ | |
internal class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Diagnostics; | |
using System.Linq; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
using System.Threading.Tasks; | |
namespace HiddenEventLogs | |
{ |
NewerOlder