Matt Nelson enigma0x3

## Backdoor-Minimalist.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[


## UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS

Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

## rpc_dump_august.txt
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
64

Interfaces :
Endpoints :

## ConvertShellcode.py
import binascii
import sys

file_name = sys.argv[1]
with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
		shellcode += "0x{},".format(i)

## rpc_dump_rs5.txt
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64

Interfaces :
Endpoints :

## Get-NonstandardService.ps1
function Get-NonstandardService {
<#
.SYNOPSIS

Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.

Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
	function Invoke-UACBypass {
	<#
	.SYNOPSIS

	Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

	Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
	64

	Interfaces :
	Endpoints :
	import binascii
	import sys

	file_name = sys.argv[1]
	with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
	shellcode += "0x{},".format(i)
	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 368 at 0x5306908L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
	64

	Interfaces :
	Endpoints :
	function Get-NonstandardService {
	<#
	.SYNOPSIS

	Returns services where the associated binaries are either not signed, or are
	signed by an issuer not matching 'Microsoft'.

	Author: Will Schroeder (@harmj0y)
	License: BSD 3-Clause
	Required Dependencies: None