Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run...

Hackers Exploit Recently Disclosed Microsoft Office Bug to Backdoor PCs

A recently disclosed severe 17-year-old vulnerability in Microsoft Office that lets hackers install malware on targeted computers without user interaction is now being exploited in the wild to distribute a backdoor malware. First spotted by researchers at security firm Fortinet, the malware has...

DBC2 (DropboxC2) - A Modular Post-Exploitation Tool, Composed Of An Agent Running On The Victim'S Machine

DBC2 DropboxC2 is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication. This project was initially inspired by the fantastic Empire framework, but also as an...

Excalibur - An Eternalblue exploit payload based Powershell

Excalibur is an Eternalblue exploit based "Powershell" for the Bashbunny project. It's purpose is to reflect on how a "simple" USB drive can execute the 7 cyber kill chain. Excalibur may be used only for demostrations purposes only, and the developers are not responsible to any misuse or illeagal...

Threat Round Up for Nov 10 - Nov 17

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between November 10 and November 17. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior...

Fake Sandbox Processes (FSP) - Tool to simulate fake processes of analysis sandbox/VM software

This small script will simulate fake processes of analysis, sandbox and/or VM software that some malware will try to avoid. You can download the original script made by @x0rz in the orig directory. You can also download my slightly optimized script in the main directory. The file is named fsp.ps1...

PowerShell Empire Windows HTTP Reverse Shell

PowerShell Empire is a post exploitation tool. A successful exploitation may allow execution of arbitrary code on the affected target...

PowerShell Penetration Testing Framework: Nishang

Nishang is an open source framework and collection of powerful PowerShell scripts and payloads that you can use during penetration testing audit, post exploitation phase or other stages of offensive security auditing. Nishang is useful during various phases of a security auditing process and has...

Cromos - Download and Inject code into Google Chrome extensions

Cromos is a tool for downloading legitimate extensions of the Chrome Web Store and inject codes in the background of the application and more cromos create executable files to force installation via PowerShell for example, and also upload files to dropbox to host the malicious files. Download...

How to Update MCS created Machine Catalog to modify vCPU, RAM.

Due to performance issues the vCPU,RAM need to be increased. This can be done by power shell...

KB4042895: Windows 10 October 2017 Cumulative Update (KRACK)

The remote Windows host is missing security update 4042895. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtai...

PowerShell Post-Exploitation Agent: Empire

Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architectur...

ZeroDoor - A Script Written Lazily For Generating Cross-Platform Backdoors

A script written lazily for generating reverse shell backdoors on the go whenever you need without any hassle for your daily penetration needs . These backdoors are not James Bond high tech stuff but rather simple ones to prevent over exploitation and limited capabilities Once you generate the...

Scripted Inputs and Splunk

Splunk is an extremely versatile tool when dealing with data: - Monitor files? Check! - Listen in on an open port? Check! - Monitor the file system? Performance monitor? HTTP Event Collector? - Check, check aaaaand check! But what if the data you want to ingest does not have a method listed...

PowerSAP - Powershell SAP Assessment Tool

PowerSAP is a simple powershell re-implementation of popular & effective techniques of all public tools such as Bizploit, Metasploit auxiliary modules, or python scripts available on the Internet. This re-implementation does not contain any new or undisclosed vulnerability. PowerSAP allows to rea...

ACLight - PowerShell Script for Advanced Discovery of Privileged Accounts (includes Shadow Admins)

ACLight is a tool for discovering privileged accounts through advanced ACLs Access Lists analysis. It includes the discovery of Shadow Admins in the scanned network. The tool queries the Active Directory AD for its objects' ACLs and then filters and analyzes the sensitive permissions of each one...

CVE-2017-8715

The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a security feature bypass by the way it handles Windows PowerShell sessions, aka "Windows Security Feature Bypass"...

CVE-2017-8715

The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a security feature bypass by the way it handles Windows PowerShell sessions, aka "Windows Security Feature Bypass"...

CVE-2017-11823

The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a security feature bypass by the way it handles Windows PowerShell sessions, aka "Microsoft Windows Security Feature Bypass"...

CVE-2017-11823

The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a security feature bypass by the way it handles Windows PowerShell sessions, aka "Microsoft Windows Security Feature Bypass"...