mattifestation

[
    {
        "ProviderGUID":  "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a",
        "ProviderName":  "AccEventTool",
        "ProviderGroupGUID":  "4f50731a-89cf-4782-b3e0-dce8c90476ba",
        "AssociatedFilenames":  [
                                    "accevent.exe",
                                    "inspect.exe",
                                    "narrator.exe",
                                    "srh.dll"

mattifestation

$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"

New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41

dtmsecurity

$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";

beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

alias sharpgen{
	$executionId  = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp =  $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";

jeffmcjunkin

MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name

That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------

MATCH 
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,

xpn

#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

vanbroup

echo MFIwUKADAgEAMEkwRzBFMAkGBSsOAwIaBQAEFNHxtXb57sDBD3r8fDEkqcNiXXxhBBTqTnzUgC3lFYGGJoyCbcCYpM+XDwIMPVGgldv/1vnVuWtZ | base64 --decode > ocsp.req

# Print OCSP request
openssl ocsp -text -reqin ocsp.req

# Make OCSP request
curl -v -o ocsp.resp --data-binary @ocsp.req -H "Content-Type: application/ocsp-request" --url http://ocsp.example.com/ca1 --header "Host: ocsp.example.com"

# Print OCSP response
openssl ocsp -noverify -text -respin ocsp.resp

bohops

I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'.  It may be located in SYSTEM32.

Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways.

Here are a few examples that you may or may not find useful - 

1) Replace ComSpec Variable

set comspec=c:\windows\system32\calc.exe
cscript manage-bde.wsf

mattifestation

# Author: Matt Graeber, SpecterOps
ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % {
    try {
        $Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName)

        if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') {
            $_.FullName
        }
    } catch {}
}

winlogon.reg

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

mattifestation

function New-ActiveScriptEventConsumerClass {
<#
.SYNOPSIS

Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing.

.DESCRIPTION

New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing.