The Automated Collection and Enrichment Platform: ACE

The Automated Collection and Enrichment ACE platform is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data. The data is collected by running scripts on each computer without installing any software on the target. ACE supports...

Data Exfiltration over DNS Request Covert Channel: DNSExfiltrator

DNSExfiltrator allows for transfering exfiltrate a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel. DNSExfiltrator has two sides: 1. The server side , coming as a single python script dnsexfiltrator.py , which ac...

How to deploy Veeam Service Provider Console Communication Agent in Unattended Mode

Challenge Some deployment scenarios may require that the Veeam Service Provider Console Communication Agent is deployed via Windows PowerShell in the silent mode. Solution Run Windows PowerShell as administrator and execute following command with correct values for Tenant's username in VACTENANT=...

Invoke-PSImage - Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute

Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web when the -Web flag is...

CHM Help Files Deliver Brazilian Banking Trojan

Security researchers are warning of a new spam campaign targeting Brazilian institutions that contain Compiled HTML file attachments that are used to deliver a banking Trojan. Spam messages contain a malicious CHM attachment called “comprovante.chm”, wrote Rodel Mendrez, senior security researche...

Jenkins - XStream Groovy classpath Deserialization (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Jenkins XStream Groovy classpath Deserialization Vulnerability', 'Description' = %q This module exploits CVE-2016-0792 a vulnerability in Jenkins...

Jenkins XStream Groovy classpath Deserialization Exploit

This Metasploit module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default...

Invoke-Phant0m - Windows Event Log Killer

This script walks thread stacks of Event Log Service process spesific svchost.exe and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running. I have made this script for two...

MS-Word Payload Delivery: Macro Creator

Invoke-MacroCreator is a powershell Cmdlet that allows for the creation of an MS-Word document embedding a VBA macro with various payload delivery and execution capabilities. Description Basically the script supports three types of payload that you MUST specify using the -t argument: 1. shellcode...

Permissions Flaw Found on Azure AD Connect

A permissions flaw in Microsoft’s Azure AD Connect software could allow a rogue admin to escalate account privileges and gain unauthorized universal access within a company’s internal network. Microsoft issued an advisory for the vulnerability on Tuesday. Affected are Office 365 customers running...

Microsoft Office DDE Payload Delivery Exploit

This Metasploit module generates an DDE command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

Microsoft Office - Dynamic Data Exchange 'DDE' Payload Delivery (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Microsoft Office DDE Payload Delivery', 'Description' = %q This module generates an DDE command to place within a word document, that when...

Microsoft Office DDE Payload Delivery

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Microsoft Office DDE Payload Delivery', 'Description' = %q This module generates an DDE command to place within a word document, that when...

Microsoft Office DDE Payload Delivery

This module generates an DDE command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule...

PowerShell script to check what vdisk version is being used

Looking for assistance with powershell script to check what vdisk version on the PVS is being used by the VDI desktops Target Devices...

Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run...

The vulnerability of the Microsoft Device Guard component in Windows operating systems allows a hacker to inject malicious code into Windows PowerShell sessions.

The vulnerability of the components used to protect the integrity of Microsoft Device Guard’s hardware and software on Windows operating systems is related to deficiencies in access control. Exploiting this vulnerability could allow an attacker, operating locally, to bypass integrity checks and...

Hackers Exploit Recently Disclosed Microsoft Office Bug to Backdoor PCs

A recently disclosed severe 17-year-old vulnerability in Microsoft Office that lets hackers install malware on targeted computers without user interaction is now being exploited in the wild to distribute a backdoor malware. First spotted by researchers at security firm Fortinet, the malware has...

DBC2 (DropboxC2) - A Modular Post-Exploitation Tool, Composed Of An Agent Running On The Victim'S Machine

DBC2 DropboxC2 is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication. This project was initially inspired by the fantastic Empire framework, but also as an...

Excalibur - An Eternalblue exploit payload based Powershell

Excalibur is an Eternalblue exploit based "Powershell" for the Bashbunny project. It's purpose is to reflect on how a "simple" USB drive can execute the 7 cyber kill chain. Excalibur may be used only for demostrations purposes only, and the developers are not responsible to any misuse or illeagal...