README
Create a template service file at /etc/systemd/system/secure-tunnel@.service
. The template parameter will correspond to the name
of target host:
[Unit]
Description=Setup a secure tunnel to %I
After=network.target
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace DinjectorWithQUserAPC | |
{ | |
public class Program |
# | |
# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. | |
# Attempts to remove both installed and online-only deployments. | |
# | |
# Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com> | |
# | |
# Usage: | |
# PS> . .\Cleanup-ClickOnce.ps1 | |
# PS> Cleanup-ClickOnce -Name MyAppName | |
# |
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
namespace ShellcodeLoader | |
{ | |
class Program |
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.3.14</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> |
Create a template service file at /etc/systemd/system/secure-tunnel@.service
. The template parameter will correspond to the name
of target host:
[Unit]
Description=Setup a secure tunnel to %I
After=network.target
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
using System.Linq; | |
using System.Reflection; | |
namespace HashInvoke; | |
public class HInvoke | |
{ | |
public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null) | |
{ | |
// Get the System assembly and go trough all its types hash their name |
#include <Windows.h> | |
#include <winternl.h> | |
#include <stdio.h> | |
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff | |
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52 | |
typedef enum _WORKERFACTORYINFOCLASS | |
{ | |
WorkerFactoryTimeout, // LARGE_INTEGER |
using NtApiDotNet; | |
using NtApiDotNet.Ndr.Marshal; | |
using NtApiDotNet.Win32; | |
using NtApiDotNet.Win32.Rpc.Transport; | |
using NtApiDotNet.Win32.Security.Authentication; | |
using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
using NtApiDotNet.Win32.Security.Authentication.Logon; | |
using System; |