- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
leoloobeek
/ EventVwrBypass.cs
Last active
June 6, 2023 08:50
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Linq; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.Win32; | |
| /* | |
| InstallUtil.exe C# version of Event Viewer UAC bypass |
rvrsh3ll
/ gadget2jscriptQueueAPCInject.cs
Last active
July 21, 2023 13:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using System.Net; | |
| using System.IO.Compression; | |
| public class Payload | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| if __name__ == "__main__": | |
| if len(sys.argv) < 2: | |
| print "usage: %s file.bin\n" % (sys.argv[0],) | |
| sys.exit(0) | |
| shellcode = "\"" | |
| ctr = 1 | |
| maxlen = 15 |
scotgabriel
/ Windows command line gui access.md
Last active
November 11, 2023 14:53
Common windows functions via rundll user32 and control panel
Cyb3rWard0g
/ COMPlus_ETWEnabled_detection_notes.md
Last active
November 23, 2023 20:05
- The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
- CLRConfig will look for configurations in the following places in the following order:
- Look at environment variables (prepending COMPlus_ to the name)
- Look at the framework registry keys (
HKCU\Software\Microsoft\.NETFramework - Look at the framework registry keys
HKLM\Software\Microsoft\.NETFramework)
- These can be set in the following ways:
- Setting the environment variable COMPlus_:
- Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // What system are we connected to? | |
| systeminfo | findstr /B /C:"OS Name" /C:"OS Version" | |
| // Get the hostname and username (if available) | |
| hostname | |
| echo %username% | |
| // Get users | |
| net users | |
| net user [username] |
jaredcatkinson
/ Get-KerberosTicketGrantingTicket.ps1
Last active
February 24, 2024 15:19
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
Neo23x0
/ Base64_CheatSheet.md
Last active
March 10, 2024 09:15
Learning Aid - Top Base64 Encodings Table
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
rain-1
/ Wannacrypt0r-FACTSHEET.md
Last active
March 10, 2024 11:03
— forked from Epivalent/Wannacrypt0r-FACTSHEET.md
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comis up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
update: A minor variant of the viru
NaniteFactory
/ dllmain.go
Last active
March 15, 2024 16:35
An implementation example of DllMain() entrypoint with Golang. $ go build --buildmode=c-shared -o my.dll && rundll32.exe my.dll Test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| //#include "dllmain.h" | |
| import "C" |