This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[JS File] | |
function setversion() { | |
} | |
function debug(s) {} | |
function base64ToStream(b) { | |
var enc = new ActiveXObject("System.Text.ASCIIEncoding"); | |
var length = enc.GetByteCount_2(b); | |
var ba = enc.GetBytes_4(b); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// CVE-2023-33127 POC Exploit: .NET Cross-Session Privilege Escalation | |
// Ref: https://bohops.com/2023/11/27/abusing-net-core-clr-diagnostic-features-cve-2023-33127/ | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Threading; | |
using System.Diagnostics; | |
using System.Security.Principal; | |
using System.IO.Pipes; | |
using System.IO; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Host " | |
============================================================================================================================== | |
*Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI) | |
*Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed). | |
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy | |
*System reboots when PowerShell script finishes | |
*Run as a privileged user in high integrity | |
*To remove enforcement, comment out enforce line |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Host " | |
============================================================================================================================== | |
*Quickly Deploy an Enforced Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI) | |
*Focus: Permit Windows signed applications (e.g. what comes with the OS). | |
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with the Default Enforced Rules | |
*System reboots when PowerShell script finishes | |
*Run as a privileged user in high integrity | |
*To remove enforcement, comment out enforce line | |
============================================================================================================================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
namespace ShellcodeLoader | |
{ | |
class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*Purpose | |
- UI Accessibility Checker | |
- Verifies UI accessibility requirements | |
*LOLBIN Functionality/Steps | |
1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio. | |
2) Add proper assembly references (e.g. AccCheck.dll) | |
3) Insert your C# code under a target method such as Execute() | |
4) Compile to a .NET managed library (DLL) | |
5) Invoke the code |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Quick & Dirty Ping Monitor + Email Report | |
# ----------------------------------------- | |
# Code Credits: | |
# - Ping Server In Python: https://stackoverflow.com/questions/2953462/pinging-servers-in-python | |
# - Simple Python Server Monitor: https://github.com/brendancarlson/Simple-Python-Server-Monitor/blob/master/monitor.py | |
# ----------------------------------------- | |
# Basic Usage: python3 ping_monitor.py | |
# Cron Usage: | |
# - Set for every hour to avoid overwhelming SMTP server thresholds | |
# - crontab -i |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.3.14</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Unload .NET runtime modules (DLLs) with DInvoke [by @theWover] | |
//https://github.com/TheWover/DInvoke | |
/* | |
// License -> https://github.com/TheWover/DInvoke/blob/main/LICENSE | |
MIT License | |
Copyright (c) 2020 TheWover | |
Permission is hereby granted, free of charge, to any person obtaining a copy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// I borrowed this great POC from Adam Chester [@_xpn_] to demonstrate spoofing for evading .NET 'Usage Logging'. | |
// This code will launch the target a suspended PowerShell.exe process, read PEB, update the ptr used to store environment variables, and resume the process | |
// Adam's original POC and blog for evading ETW with COMPlus_ETWEnabled can be found at these URLs: | |
// https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503 | |
// https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ | |
// | |
// Applicable detection guidance (with a few possible tweaks) can be found here: | |
// https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 | |
// |
NewerOlder