Windows Escalate UAC Protection Bypass

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule 'Windows Escalate UAC Protection Bypass Via Eventvwr Regist...

Windows Anti Recon Tool: SAMRi10

Windows Anti Recon Tool “SAMRi10” tool is a short PowerShell PS script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim’s...

PowerShell Digital Forensics: PowerForensics

PowerShell Digital Forensics The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support. PowerForensics is built on a C Class...

Nymaim Dropper Updates Delivery, Obfuscation Methods

A new variant of the Nymaim dropper has been identified that includes updated delivery and obfuscation methods, and the use of PowerShell routines to download its payloads. The updated dropper, used primarily to download banking Trojans in the past, has also been spreading ransomware, according t...

PowerShell Script Execution Troubleshooting Advice

Veeam Support Scope Per Veeam Support Policy: Custom script troubleshooting is not supported. What's in Scope: Confirming that the Veeam task executed the script. Assisting with Veeam PowerShell cmdlets not functioning as intended or documented. What's Out of Scope: Troubleshooting why a custom...

Shell to Meterpreter Upgrade

This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected. Currently meterpreter/reversetcp is used on Windows and Linux, with 'python/meterpreter/reversetcp' used on all others. This...

FruityArmor APT Group Used Recently Patched Windows Zero Day

One of the four zero-day vulnerabilities Microsoft patched last week was being used by an APT group called FruityArmor to carry out targeted attacks, escape browser-based sandboxes, and execute malicious code in the wild. Anton Ivanov, a researcher at Kaspersky Lab, was credited by Microsoft for...

The new .LNK between spam and Locky infection

Just when it seems the Ransom:Win32/Locky activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors might be using to keep it going. The decline in Locky activity can be attributed to the slowdown of detections of Nemucod, which Locky...

HTA Web Server

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'HTA Web Server', 'Description' = %q This module hosts an HTML Application HTA that when opened will run a payload via Powershell. When a user...

PowerLurk - Malicious WMI Events using PowerShell

PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement. Please see my post Creeping on Users with WMI Events: Introducing PowerLurk for more detailed information:...

Windows Remote Incident Response: CimSweep

Windows Remote Incident Response CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CimSweep may also be used to engage in offensive reconnaissance without the need to drop any payload to...

Powershell Payload Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/post/windows/services' require 'msf/core/post/windows/powershell' require 'msf/core/exploit/powershell/dotnet' class MetasploitModule...

Powershell .NET Compiler

This module will build a .NET source file using powershell. The compiler builds the executable or library in memory and produces a binary. After compilation the PowerShell session can also sign the executable if provided a path the a .pfx formatted certificate. Compiler options and a list of...

Powershell Payload Execution

This module generates a dynamic executable on the session host using .NET templates. Code is pulled from C templates and impregnated with a payload before being sent to a modified PowerShell session with .NET 4 loaded. The compiler builds the executable standard or Windows service in memory and...

Increased Use of WMI for Environment Detection and Evasion

Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...

Increased Use of WMI for Environment Detection and Evasion

Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...

HTA Web Server

This module hosts an HTML Application HTA that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed. This module requires Metasploit: https://metasploit.com/download Current source:...

Hancitor (AKA Chanitor) observed using multiple attack approaches

Many threat actors use multiple attack vectors to ensure success. The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims. These techniques include uncommon...

Malware Evades Detection with Novel Technique

Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment. The malware, according to researcher Caleb Fenton with security firm SentinelOne, evades detection simply by counting the number of...

Data Exfiltration Toolkit: DET

Data Exfiltration Toolkit DET is provided AS IS, is a proof of concept to perform Data Exfiltration using either single or multiple channels at the same time. This is a Proof of Concept aimed at identifying possible DLP failures. This should never be used to exfiltrate sensitive/live data. The id...