Matt Nelson enigma0x3
enigma0x3
/ Get-NonstandardService.ps1
Last active
August 12, 2022 15:41
— forked from HarmJ0y/Get-NonstandardService.ps1
Get-NonstandardService
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-NonstandardService { | |
| <# | |
| .SYNOPSIS | |
| Returns services where the associated binaries are either not signed, or are | |
| signed by an issuer not matching 'Microsoft'. | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None |
enigma0x3
/ rpc_dump_rs5.txt
Created
January 22, 2019 16:57
— forked from masthoon/rpc_dump_rs5.txt
RPC interfaces RS5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------------------------- | |
| <WinProcess "smss.exe" pid 368 at 0x5306908L> | |
| 64 | |
| [!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000 | |
| -------------------------------------------------------------------------------- | |
| <WinProcess "csrss.exe" pid 472 at 0x5306e48L> | |
| 64 | |
| Interfaces : | |
| Endpoints : |
enigma0x3
/ ConvertShellcode.py
Created
October 25, 2018 21:01
— forked from rvrsh3ll/ConvertShellcode.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import binascii | |
| import sys | |
| file_name = sys.argv[1] | |
| with open (file_name) as f: | |
| hexdata = binascii.hexlify(f.read()) | |
| hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2])) | |
| shellcode = '' | |
| for i in hexlist: | |
| shellcode += "0x{},".format(i) |
enigma0x3
/ rpc_dump_august.txt
Created
October 23, 2018 17:20
— forked from masthoon/rpc_dump_rs4.txt
RPC interfaces dump August 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------------------------- | |
| <WinProcess "smss.exe" pid 520 at 0x5db0c50L> | |
| 64 | |
| [!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000 | |
| -------------------------------------------------------------------------------- | |
| <WinProcess "csrss.exe" pid 776 at 0x5db0908L> | |
| 64 | |
| Interfaces : | |
| Endpoints : |
enigma0x3
/ UACBypass.ps1
Created
October 18, 2016 15:30
— forked from mattifestation/UACBypass.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-UACBypass { | |
| <# | |
| .SYNOPSIS | |
| Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. | |
| Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
enigma0x3
/ Backdoor-Minimalist.sct
Last active
March 9, 2025 06:49
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <![CDATA[ | |