sassdawe

<#
.Synopsis
   New-AzureADTestUser
.DESCRIPTION
   New-AzureADTestUser will create one or more random Azure AD test account(s).
   The randomness is achieved using https://randomuser.me/api/.
   The account(s) will be disabled, and the password(s) will be a random Guid.
.EXAMPLE

sassdawe

using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;

namespace ByteArrayExec
{

sassdawe

<#
.Synopsis
    Get-LatestLTS
.DESCRIPTION
    Long description
.EXAMPLE
    Example of how to use this cmdlet
.EXAMPLE
    Another example of how to use this cmdlet

sassdawe

function Protect-FromMyself {
    <#
    .SYNOPSIS
        Protect-FromMyself
    .DESCRIPTION
        Protect-FromMyself will turn on `-WhatIf` for all comdlets that support it. To help protect against accidental changes.
    .NOTES
    .LINK
    #>
    [CmdletBinding()]

sassdawe

# Taken from : https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py
function Start-WebcamRecorder
{
  <#
  .SYNOPSIS
  This function utilizes the DirectX and DShowNET assemblies to record video from the host's webcam.
  Author: Chris Ross (@xorrior)
  License: BSD 3-Clause
  .DESCRIPTION
  This function will capture video output from the hosts webcamera. Note that if compression is available, there isn't 

sassdawe

#requires -version 7
#You can load this script with $(iwr https://tinyurl.com/TraceAICommand | iex)
using namespace Microsoft.ApplicationInsights
using namespace Microsoft.ApplicationInsights.Extensibility
using namespace Microsoft.ApplicationInsights.DataContracts
using namespace System.Management.Automation
using namespace System.Collections.Generic
using namespace System.Net

#Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/app/console

sassdawe

$module = "module name"
$folder = "destination folder"

(((Get-Module $module).ExportedFunctions).Values.GetEnumerator()) | Foreach-Object { 
  "function $($_.Name) { `n $($_.definition)`n}" > "$folder\function-$($_.name).ps1"
}

sassdawe

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

sassdawe

using namespace System.Management.Automation
using namespace Microsoft.PowerShell.Commands
function Write-FunctionError {
<#
.SYNOPSIS
Writes an error within the context of the containing CmdletBinding() function. Makes error displays prettier
.NOTES
ScriptStackTrace will still show Write-FunctionError, so its not completely transparent. There's no way to "edit" or "replace" this stacktrace that I can find.
.EXAMPLE
function test {

sassdawe

$PSDefaultParameterValues["Get-AzADUser:Select"] = @("DisplayName", "Id", "UserPrincipalName", "UserType", "AccountEnabled")