A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz. “In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions […]
Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. “Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external […]
An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the […]
An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed “CharmPower” for follow-on post-exploitation. “The actor’s attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous […]
The Lyceum threat group (aka Hexane) again initiated an attack, but this time they have a weird variant of a remote-access trojan (RAT). This time they are using the PowerShell scripts and .NET RAT to deploy keylogger on the targeted Windows system and steal credentials. Since this trojan doesn’t have any specific method to communicate […]
Recently, cybersecurity experts have claimed that the operators of Ryuk Ransomware are targeting severe infrastructures to extort high ransom from their victims. In 2018, the Ryuk ransomware was spotted for the first time, and the security researchers claim that the Ryuk procured and developed by its operators from the Hermes ransomware’s source code. As last […]
Windows Firewall Ruleset Windows firewall rules organized into individual powershell scripts according to: Rule group Traffic direction IP version (IPv4 / IPv6) Further sorted according to programs and services such as for example: ICMP… The post WindowsFirewallRuleset: Windows firewall ruleset powershell scripts appeared first on Penetration Testing.
ThreatHunt is a simple PowerShell repository that allows you to train your threat hunting skills. ThreatHunt allows you to simulate a variety of attack techniques and procedures without leveraging malicious files. It is not a penetration system tool or framework but instead a very simple way to raise security alerts that help you to train […]
Malicious Macro MSBuild Generator Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass, this tool intended for adversary simulation and red teaming purposes. Download git clone https://github.com/infosecn1nja/MaliciousMacroMSBuild.git Use Example Choose a payload you want to test like shellcode or powershell, the shellcode support stageless and staged payload Generate a raw shellcode […]
PowerShell Script to perform a quick AD audit _____ ____ _____ _ _ _| _ | | _ |_ _ _| |_| |_| | | | | | | | . | | _||__|__|____/ |__|__|___|___|_|_| by phillips321 If you have any decent powershell one liners that could be used in the script please let me […]
Powershell-RAT is a Python and Powershell script tool that has been made to help a pen tester during red team engagements to backdoor Windows machines. It tracks user activity using screen capture and sends the information to an attacker as an e-mail attachment. The tool is FUD as of Black Hat 2019, you can find the […]
Hide your powershell script in plain sight! Invisi-Shell bypasses all of Powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking .Net assemblies. The hook is performed via CLR Profiler API. This is still a preliminary version intended as a POC. The code works only on x64 processes and tested against Powershell V5.1. Usage […]
Many tools are written in PowerShell especially for red team activities as the majority of modern Windows are having PowerShell and usually administrators don’t restrict access to the PowerShell console for normal users. This give a great advantage to an attacker especially if PowerShell usage is not monitored by the blue team. PoshC2 is a […]
ESET researchers analyze new TTPs attributed to the Turla group that leverage PowerShell to run malware in-memory only
Various PowerShell scripts that may be useful during a red team exercise. The repo includes the following scripts: Red Team Powershell Scripts Search-EventForUser.ps1: Powershell script that search through the Windows event logs for specific user(s) Search-FullNameToSamAccount.ps1: Full name to SamAccountName Search-UserPassword.ps1: Search LDAP for userPassword field Remote-WmiExecute.ps1: Execute command remotely using WMI Take-Screenshot.ps1: Take a […]
Hackers use malicious MSI files that download and execute malicious files that could bypass traditional security solutions. The dropped malware is capable of initiating a system shutdown or targeting financial systems located in certain locations. Security researchers from TrendMicro discovered JScript/VBScript codes in several malicious *.msi files distributed through spam emails. The malicious JS code […]
DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well. The script currently supports the following Windows operating systems (both […]
ThunderShell is a C# RAT that communicates via HTTP requests. All the network traffic is encrypted using a second layer of RC4 to avoid SSL interception and defeat network detection on the target system. RC4 is a weak cipher and is employed here to help obfuscate the traffic. HTTPS options should be used to provide […]
Researchers observed a new Powershell based backdoor via Microsoft office document that infects similar to MuddyWater threat actor hacking tools to steal victims sensitive data and share it via C&C server to the attacker. MuddyWater is a widely known cyber crime group and they active since 2017 and performs various PowerShell script attacks on private […]
Hide your powershell script in plain sight! Invisi-Shell bypasses all of Powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking .Net assemblies. The hook is performed via CLR Profiler API. Work In Progress This is still a preliminary version intended as a POC. The code works only on x64 processes and tested against […]
Microsoft signed DLL for the ActiveDirectory PowerShell module Just a backup for the Microsoft’s ActiveDirectory PowerShell module from Server 2016 with RSAT and module installed. The DLL is usually found at this path: C:WindowsMicrosoft.NETassemblyGAC_64Microsoft.ActiveDirectory.Management and the rest of the module files at this path: C:WindowsSystem32WindowsPowerShellv1.0ModulesActiveDirectory Usage You can copy this DLL to your machine and […]