VirtualAlllocEx / DSC_SVC_REMOTE
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
☆50Updated last year
Related projects ⓘ
Alternatives and complementary repositories for DSC_SVC_REMOTE
- Programmatically start WebClient from an unprivileged session to enable that juicy privesc.☆65Updated last year
- a variety of tools,scripts and techniques developed and shared with different programming languages by 0xsp Lab☆53Updated 7 months ago
- A small Aggressor script to help Red Teams identify foreign processes on a host machine☆81Updated last year
- a simple poc showcasing the ability of an admin to suspend EDR's protected processes , making it useless☆39Updated 4 months ago
- Lateral Movement via the .NET Profiler☆76Updated 5 months ago
- ☆46Updated last year
- ☆58Updated 11 months ago
- malleable profile generator GUI for Havoc☆56Updated last year
- PowerShell script to terminate protected processes such as anti-malware and EDRs.☆27Updated last year
- A repository with my code snippets for research/education purposes.☆50Updated last year
- Proof of Concept code and samples presenting emerging threat of MSI installer files.☆77Updated last year
- Click Once + App Domain☆62Updated 11 months ago
- ☆25Updated last year
- Small project to facilitate creation of .lnk payloads☆62Updated 2 years ago
- Slide decks and/or materials from conference presentations☆54Updated 2 years ago
- A care package of useful bofs for red team engagments☆48Updated 2 years ago
- Launches a limited shell using PowerShell Runspaces with an optional AMSI Bypass. Does not invoke Powershell.exe☆13Updated 11 months ago
- ☆28Updated 5 months ago
- NidhoggScript is a tool to generate "script" file that allows execution of multiple commands for Nidhogg☆47Updated 8 months ago
- ☆59Updated 3 months ago
- Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged☆86Updated 2 years ago
- C# havoc implant☆96Updated last year
- HelpSystems Nanodump, but wrapped in powershell via Invoke-ReflectivePEInjection☆53Updated 2 years ago
- Reasonably undetected shellcode stager and executer.☆35Updated 2 months ago
- Just another ntdll unhooking using Parun's Fart technique☆72Updated last year
- Code Execution & Persistence in NETWORK SERVICE FAX Service☆31Updated 2 years ago
- A pure C version of SymProcAddress☆23Updated 8 months ago
- Payload for DLL sideloading of the OneDriveUpdater.exe, based on the PaloAltoNetwork Unit42's blog post☆86Updated 2 years ago
- ☆103Updated 6 months ago