This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info. | |
| Snapshots taken from clean installs. | |
| Windows 7 SP1 x64, 7601 | |
| WPD Association LUA Virtual Factory | |
| {00393519-3A67-4507-A2B8-85146167ACA7} | |
| Virtual Factory for Biometrics | |
| {0142e4d1-fb7a-11dc-ba4a-000ffe7ab428} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| DO NOT COMPILE THIS SOURCE FILE ! | |
| Encode this source in base64: | |
| base64 -w0 malicious.cs > malicious.b64 | |
| Then paste it in the code in "not_detected.cs" source file |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*************** | |
| * Simple Process Hollowing in C# | |
| * | |
| * #Build Your Binaries | |
| * c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe | |
| * | |
| * @author: Michael Gorelik <smgorelik@gmail.com> | |
| * gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75 | |
| * #Most of the code taken from here: @github: github.com/ambray |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # | |
| # Red-Teaming script that will leverage MSBuild technique to convert Powershell input payload or | |
| # .NET/CLR assembly EXE file into inline-task XML file that can be further launched by: | |
| # %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | |
| # | |
| # Requirements: | |
| # - pefile | |
| # | |
| # Mariusz B. / mgeeky, <mb@binary-offensive.com> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| # All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :)) | |
| # This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True. | |
| from ctypes.wintypes import * | |
| from ctypes import * | |
| from enum import IntEnum | |
| kernel32 = WinDLL('kernel32', use_last_error=True) | |
| advapi32 = WinDLL('advapi32', use_last_error=True) | |
| shell32 = WinDLL('shell32' , use_last_error=True) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-ActiveScriptEventConsumerClass { | |
| <# | |
| .SYNOPSIS | |
| Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing. | |
| .DESCRIPTION | |
| New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer | |
| RETURN u.name | |
| That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership | |
| --------------- | |
| MATCH | |
| (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer) | |
| WITH | |
| U.name as n, |