Skip to content

Instantly share code, notes, and snippets.

@ChoiSG
ChoiSG / bullyhunter.sh
Created April 17, 2019 17:21
Catch all the bullies!
#!/bin/bash
# author: choi
# Note: There is a shorter version coming. IRSEC forces members to only
# type their scripts, so I'll be making a shorter version of this.
# Description: Bullyhunter downloads LiME and volatility, which "maybe" helps
# to track down the already implemented rookit. Best of luck.
#
#
# if you are lost
@ChoiSG
ChoiSG / Parse-Mimikatz.ps1
Created March 11, 2020 21:15
Parsing mimikatz output - simplified
# Author: Will Schroeder (https://github.com/PowerShellEmpire/PowerTools/blob/master/PewPewPew/Invoke-MassMimikatz.ps1)
# modification: choisg - Very little modification has been done to simplify the output
# helper to parse out Mimikatz output
function Parse-Mimikatz {
[CmdletBinding()]
param(
[string]$raw
)
#include <stdio.h>
#include <time.h>
#include <string.h>
int main(){
printf("Opening blahblahblah\n");
int n, a = 0;
char psy[20];
@ChoiSG
ChoiSG / hooktester.cs
Created May 7, 2021 01:16
basic process injector that will get caught by SylantStrike (https://github.com/CCob/SylantStrike)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Text;
namespace hooktester
{
class Program
@ChoiSG
ChoiSG / dinvokeSyscall.cs
Created May 7, 2021 18:37
dinvoke with syscall - created for blog post
using System;
using DInvoke;
using System.Diagnostics;
using System.Runtime.InteropServices;
using DynamicInvoke = DInvoke.DynamicInvoke;
using Data = DInvoke.Data;
namespace dinvokeSyscall
{
class Program
@ChoiSG
ChoiSG / execute_assembly_bin.nim
Last active February 4, 2022 16:13
testnim for Invoke-ReflectivePEInjection
#[
Author: Marcello Salvati, Twitter: @byt3bl33d3r
License: BSD 3-Clause
I still can't believe this was added directly in the Winim library. Huge props to the author of Winim for this (khchen), really great stuff.
Make sure you have Winim >=3.6.0 installed. If in doubt do a `nimble install winim`
Also see https://github.com/khchen/winim/issues/63 for an amazing pro-tip from the author of Winim in order to determine the marshalling type of .NET objects.
References:
- https://github.com/khchen/winim/blob/master/examples/clr/usage_demo2.nim
]#
@ChoiSG
ChoiSG / httpgrunt_amsibypass.cs
Last active March 16, 2022 23:02
httpgrunt with amsi bypass
// This is a Covenant Template file. Go to Covenant ==> Template ==> GruntHTTP ==> Stager Code
// and copy/paste this.
using System;
using System.Net;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using System.IO.Pipes;
using System.Reflection;
@ChoiSG
ChoiSG / HTTPGruntAmsiBypass.cs
Last active March 17, 2022 20:16
AMSI Bypass HTTP Grunt
using System;
using System.Net;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using System.IO.Pipes;
using System.Reflection;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Runtime.InteropServices; // For PInvoke
@ChoiSG
ChoiSG / stagezero.cs
Last active March 18, 2022 21:01
stage zero using dinvoke to inject donut'ed covenant grunt
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using DynamicInvoke = DInvoke.DynamicInvoke;
// Install DInvoke, Fody, and Costura Fody through Nuget
namespace stagezero
{
class Program
@ChoiSG
ChoiSG / rsrcDecryptAssembly.nim
Last active September 19, 2022 17:31
embed .net, decrypt, load and execute in nim poc
import nimcrypto
import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy
#[
All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t
nimble install winim nimcrypto zippy
nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim
slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.