PE Injection/Impersonation:
- Process Hollowing (a.k.a. RunPE)
- Process Doppelgänging
- Transacted Hollowing
- Process Ghosting
- Module Overloading & DLL Hollowing
- Chimera PE (variant of a manual PE loader)
Shellcode injection:
2XXE GeneralTesler
View GetAMSIEvent.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matt Graeber | |
| # Company: Red Canary | |
| # To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # To stop the trace, run the following: logman stop AMSITrace -ets | |
| # Example usage: Get-AMSIEvent -Path .\AMSITrace.etl | |
| function Get-AMSIEvent { | |
| param ( |
View injection_demos.md
sixdub
/ beacon.ksy
Created Apr 6, 2021
View beacon.ksy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| meta: | |
| id: beaconconfig | |
| title: Cobalt Strike Beacon Config | |
| endian: be | |
| doc: | | |
| Cobalt Strike Beacon is a popular offensive security tool. Beacon itself | |
| is a DLL that gets injected into memory and can be staged from C2 servers. | |
| The Beacon DLL (in unencoded form) contains a configuration section that gets | |
| patched by the C2 server. This section is a fixed predictable structure |
IanColdwater
/ twittermute.txt
Last active Jan 21, 2022
Here are some terms to mute on Twitter to clean your timeline up a bit.
View twittermute.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Mute these words in your settings here: https://twitter.com/settings/muted_keywords | |
| ActivityTweet | |
| generic_activity_highlights | |
| generic_activity_momentsbreaking | |
| RankedOrganicTweet | |
| suggest_activity | |
| suggest_activity_feed | |
| suggest_activity_highlights | |
| suggest_activity_tweet |
kmcquade
/ AWS API calls that return credentials.md
Last active Jan 16, 2022
AWS API calls that return credentials
View Invoke-ExShellcode.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Lateral movement and shellcode injection via Excel 4.0 macros | |
| Author: Philip Tsukerman (@PhilipTsukerman) | |
| License: BSD 3-Clause | |
| Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM | |
| #> | |
| function Invoke-ExShellcode | |
| { | |
| <# |
Philts
/ Invoke-Excel4DCOM64.ps1
Last active Feb 14, 2021
View Invoke-Excel4DCOM64.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #********************************************************************** | |
| # Invoke-Excel4DCOM64.ps1 | |
| # Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support | |
| # Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason | |
| # Date: 2019/04/21 | |
| # Version: 1.1 | |
| #********************************************************************** | |
| function Invoke-Excel4DCOM | |
| { |
ejcx
/ jwtex_test.go
Created Nov 17, 2018
View jwtex_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package jwtex | |
| import ( | |
| "encoding/base64" | |
| "encoding/json" | |
| "fmt" | |
| "strings" | |
| "testing" | |
| ) |
View cobaltstrike_sa.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
View a_readme.md
Windows Image Template
yum install /usr/bin/virt-install virtio-win
virt-install \
--name 2016 \
--memory 8192 \
NewerOlder