This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
%windir%\system32\WerFaultSecure.exe | |
%windir%\system32\mrt.exe | |
%windir%\system32\svchost.exe | |
%windir%\system32\NETSTAT.EXE | |
%windir%\system32\wbem\WmiPrvSE.exe | |
%windir%\system32\DriverStore\FileRepository\*\NVWMI\nvWmi64.exe | |
%programfiles(x86)%\Microsoft Intune Management Extension\ClientHealthEval.exe | |
%programfiles(x86)%\Microsoft Intune Management Extension\SensorLogonTask.exe | |
%programfiles(x86)%\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe | |
%programdata%\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\*\OpenHandleCollector.exe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Usage: | |
# PS> . .\Cleanup-ClickOnce.ps1 | |
# PS> Cleanup-ClickOnce -Name MyAppName | |
# | |
# Other than that you might also try using these commands: | |
# PS> rundll32 dfshim.dll,ShArpMaintain C:\Path\To\ClickOnce.application | |
# PS> rundll32 dfshim.dll CleanOnlineAppCache | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. | |
# Attempts to remove both installed and online-only deployments. | |
# | |
# Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com> | |
# | |
# Usage: | |
# PS> . .\Cleanup-ClickOnce.ps1 | |
# PS> Cleanup-ClickOnce -Name MyAppName | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
namespace ShellcodeLoader | |
{ | |
class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
''' | |
* Written for a CTF :) | |
* --- | |
* Author: Bryan McNulty | |
* Contact: bryanmcnulty@protonmail.com | |
* GitHub: https://github.com/bryanmcnulty | |
* --- | |
* Dependencies: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Pack macro-enabled doc to ISO | |
py PackMyPayload.py Resume1337.xlsm test11.iso | |
# Apply MOTW on that ISO | |
Set-Content -Path test11.iso -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' | |
# Mount it | |
Mount-DiskImage -ImagePath test11.iso |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
((((ParentBaseFileName IN ("*WINWORD.EXE" , | |
"*EXCEL.EXE" , | |
"*POWERPNT.EXE" , | |
"*MSPUB.EXE" , | |
"*VISIO.EXE" , | |
"*OUTLOOK.EXE" , | |
"*MSACCESS.EXE" , | |
"*MSPROJECT.EXE" , | |
"*ONENOTE.EXE")) | |
AND ((CommandHistory IN ("*msdt.exe*" , |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
namespace ShellcodeLoader | |
{ | |
class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT -ErrorAction SilentlyContinue | Out-Null | |
$count = 0 | |
try { | |
Get-ChildItem HKCR: -ErrorAction SilentlyContinue | ForEach-Object { | |
if((Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).PSObject.Properties.Name -contains "URL Protocol") { | |
$name = $_.PSChildName | |
$count += 1 | |
$line = "URI Handler {0:d4}: {1}" -f $count, $name | |
Write-Host $line | |
} |
NewerOlder