Create a template service file at /etc/systemd/system/secure-tunnel@.service
. The template parameter will correspond to the name
of target host:
[Unit]
Description=Setup a secure tunnel to %I
After=network.target
using System; | |
using System.Runtime.CompilerServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
namespace FunkyJit | |
{ | |
class Program | |
{ | |
public static void Nothing() { Console.WriteLine(); } | |
static void Main(string[] args) |
blueprint: | |
name: Climate Control | |
description: > | |
## ❄️ Chill Your Room Out! ❄️ | |
![icon](https://developer.lametric.com/content/apps/icon_thumbs/55645_icon_thumb.gif?v=1) | |
_Forget about thy air conditioner remote!_ | |
### Original script and research by commial | |
### https://github.com/commial/experiments/tree/master/windows-defender | |
### Set LUADec_Path to binary | |
### https://github.com/viruscamp/luadec | |
import struct | |
import argparse | |
import sys | |
import os | |
import io | |
import subprocess |
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace DinjectorWithQUserAPC | |
{ | |
public class Program |
# | |
# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. | |
# Attempts to remove both installed and online-only deployments. | |
# | |
# Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com> | |
# | |
# Usage: | |
# PS> . .\Cleanup-ClickOnce.ps1 | |
# PS> Cleanup-ClickOnce -Name MyAppName | |
# |
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
namespace ShellcodeLoader | |
{ | |
class Program |
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.3.14</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.