| IDA Plugins | Preferred | Neutral | Unreviewed |
|---|
Noah thesubtlety
rsmudge
/ comexec.cna
Created
January 6, 2017 22:06
Lateral Movement with the MMC20.Application COM Object (Aggressor Script Alias)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Lateral Movement alias | |
| # https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | |
| # register help for our alias | |
| beacon_command_register("com-exec", "lateral movement with DCOM", | |
| "Synopsis: com-exec [target] [listener]\n\n" . | |
| "Run a payload on a target via DCOM MMC20.Application Object"); | |
| # here's our alias to collect our arguments | |
| alias com-exec { |
rsmudge
/ initial.cna
Created
February 20, 2019 20:33
How to automate Beacon to execute a sequence of tasks with each checkin...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Demonstrate how to queue tasks to execute with each checkin... | |
| # | |
| # | |
| # yield tells a function to pause and return a value. The next time the same instance of the | |
| # function is called, it will resume after where it last yielded. | |
| # | |
| sub stuffToDo { | |
| # Tasks for first checkin |
TheWover
/ Find-Assemblies.ps1
Last active
June 6, 2022 17:53
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Param([parameter(Mandatory=$true, | |
| HelpMessage="Directory to search for .NET Assemblies in.")] | |
| $Directory, | |
| [parameter(Mandatory=$false, | |
| HelpMessage="Whether or not to search recursively.")] | |
| [switch]$Recurse = $false, | |
| [parameter(Mandatory=$false, | |
| HelpMessage="Whether or not to include DLLs in the search.")] | |
| [switch]$DLLs = $false, | |
| [parameter(Mandatory=$false, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function dockershell() { | |
| docker run --rm -i -t --entrypoint=/bin/bash "$@" | |
| } | |
| function dockershellsh() { | |
| docker run --rm -i -t --entrypoint=/bin/sh "$@" | |
| } | |
| function dockershellhere() { | |
| dirname=${PWD##*/} |
matterpreter
/ CallTreeToJSON.py
Last active
April 29, 2023 12:06
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #@author matterpreter | |
| #@category | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| ### | |
| # To import to Neo4j: | |
| # CREATE CONSTRAINT function_name ON (n:Function) ASSERT n.name IS UNIQUE | |
| # |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Requires: curl, jq | |
| # Download MITRE ATT&CK data from GitHub repository | |
| curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json | |
| # List all ATT&CK object types | |
| jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json | |
| # List all ATT&CK technique identifiers | |
| jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json |
Some golden links when you are having issues: https://social.technet.microsoft.com/Forums/windows/en-US/96016a13-9062-4842-b534-203d2f400cae/ca-certificate-request-error-quotdenied-by-policy-module-0x80094800quot-windows-server-2008?forum=winserversecurity
Download and install Certi
xpn
/ getsystem_parent.cpp
Created
November 20, 2017 00:11
A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) { | |
| TOKEN_PRIVILEGES tp; | |
| LUID luid; | |
| TOKEN_PRIVILEGES tpPrevious; | |
| DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES); | |
| if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------------------------- | |
| <WinProcess "smss.exe" pid 520 at 0x5db0c50L> | |
| 64 | |
| [!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000 | |
| -------------------------------------------------------------------------------- | |
| <WinProcess "csrss.exe" pid 776 at 0x5db0908L> | |
| 64 | |
| Interfaces : | |
| Endpoints : |