Skip to content

Instantly share code, notes, and snippets.

Avatar

mvelazco mvelazc0

View GitHub Profile
View PurpleSharp_PlaybookExample.json
{
"username": "psharp",
"domain": "domain",
"dc": "192.168.1.2",
"sleep": 1,
"playbooks": [
{
"name": "Adversary Simulation Playbook 1",
"host": "win10-1",
"scoutfpath": "C:\\Installer.exe",
View GetAndRunBlockDlls.cs
using System;
using System.IO;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace GetAndRunBlockDlls
{
class Program
@mvelazc0
mvelazc0 / GetAndRun.cs
Last active Oct 4, 2020
Downloads a XOR encrypted assembly payload (Payload.cs) and executes the "Run" method using .NET reflection
View GetAndRun.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Reflection;
using System.Text;
namespace GetAndRun
{
@mvelazc0
mvelazc0 / GetSystem.cs
Last active Dec 7, 2020
Escalates to SYSTEM leveraging OpenProcess, OpenProcessToken and ImpersonateLoggedOnUser. https://attack.mitre.org/beta/techniques/T1134/. Needs to run as a High Integrity proc. Needs SeDebugPrivilege
View GetSystem.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
//Based on https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html
namespace GetSystem
{
class Program
{
@mvelazc0
mvelazc0 / InjectDonut.cs
Last active Oct 12, 2020
Leverages donut.exe (https://github.com/TheWover/donut) to generate position independant shellcode and injects it into a process using CreateRemoteThread. In this POC, notepad.exe
View InjectDonut.cs
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
namespace InjectDonut
{
public class Program
{