PowerUpSQL - A PowerShell Toolkit for Attacking SQL Server

The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could...

HatDBG - Minimal WIN32 Debugger in Powershell

The HatDBG is A pure Powershell win32 debugging abstraction class. The goal of this project is to make a powershell debugger. It is intended to be used during internal penetration tests and red team engagements. This is exclusively for educational purposes. The debugger objects implementing a...

Microsoft Windows - Fileless UAC Protection Bypass Privilege Escalation (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Windows Escalate UAC Protection Bypass with Fileless', 'Description' = %q This module will bypass Windows UAC by utilizing...

WMI vs. WMI: Monitoring for Malicious Activity

Hello my name is: WMI WMI has been a core component of Windows since Windows 98, but it is not exactly old wine in a new bottle. WMI more closely resembles that bottle of ‘61 Bordeaux wine that continues to impress us as it ages and matures. WMI was developed as Microsoft’s interpretation of...

Microsoft Open Sources PowerShell; Now Available for Linux and Mac OS X

'Microsoft loves Linux' and this has never been so true than now. Microsoft today made its PowerShell scripting language and command-line shell available to the open source developer community on GitHub under the permissive MIT license. The company has also launched alpha versions of PowerShell f...

Latest Windows UAC Bypass Permits Code Execution

Less than a month after disclosing a Windows User Account Control bypass, researcher Matt Nelson today published another attack that circumvents the security feature and leaves no traces on the hard disk. This time, the bypass relies on Event Viewer eventvwr.exe, a native Windows feature used to...

SMB Delivery Module

require 'msf/core' require 'msf/core/exploit/powershell' class MetasploitModule "SMB Delivery", 'Description' = %q This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell. , 'License' = MSFLICENSE,...

SMB Delivery

This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...

PowerWare Ransomware Masquerades as Locky to Intimidate Victims

A new variant of the PowerWare ransomware is stealing street creds from the Locky strain of ransomware in an attempt to spoof the malware family. A new sample of PowerWare found by Palo Alto Networks’ Unit 42 reveals the ransomware’s quickly evolving tactics. According to researchers, a new versi...

Microsoft Windows PowerShell Execution Policy

Nessus was able to collect and report the PowerShell execution policy for the remote Windows host. C Tenable Network Security, Inc. include"compat.inc"; if !definedfunc"nasllevel" || nasllevel 5200 exit0, "Not Nessus 5.2+"; if description scriptid92367; scriptversion"1.6";...

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on...

CVE-2016-0321

IBM Personal Communications aka PCOMM 6.x before 6.0.17 and 12.x before 12.0.0.1 does not properly restrict credential extraction, which allows local users to discover passwords by leveraging access to the victim account and executing a PowerShell script...

MS16-032 Secondary Logon Handle local mention the right vulnerability

No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/payloadgenerator' require 'msf/core/exploit/powershell' require 'rex' class MetasploitModule...

Reverse engineering DUBNIUM –Stage 2 payload analysis

Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat APT activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident Part 1, Part 2. In this blog, we will go through the overall infection chain structure and the...

Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation

Exploit for windows platform in category local exploits This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/payloadgenerator' require 'msf/core/exploit/powershell' require 'rex' class...

Microsoft Windows 7 &lt; 10 / 2008 &lt; 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/payloadgenerator' require 'msf/core/exploit/powershell' require 'rex' class MetasploitModule 'MS16-032 Secondary Logon Handle Privile...

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password or password hash to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name an...

MS16-032 Secondary Logon Handle Privilege Escalation

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/payloadgenerator' require 'msf/core/exploit/powershell' require 'rex' class MetasploitModule 'MS16-032 Secondary Logon Handle Privile...

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems wi...

Regsvr32.exe (.sct) Application Whitelisting Bypass Server

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Regsvr32.exe .sct Application Whitelisting Bypass Server', 'Description' = %q This module simplifies the Regsvr32.exe Application Whitelisting...