This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Host Enumeration: | |
--- OS Specifics --- | |
wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
wmic computersystem LIST full | |
--- Anti-Virus --- | |
wmic /namespace:\\root\securitycenter2 path antivirusproduct |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.IO; | |
using System.IO.Compression; | |
using System.Text; | |
using System.Collections.Generic; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function New-RegSvr32BatchFile | |
{ | |
<# | |
.SYNOPSIS | |
Generates a batch file which will contain a certutil encoded, cab compressed payload. | |
.DESCRIPTION | |
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want. | |
Create payload: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// MyInstallerPane.m | |
// messagebox | |
// | |
// Created by Chris Ross on 1/23/18. | |
// Copyright © 2018 testplugin. All rights reserved. | |
// | |
/* | |
This should be in MyInstallerPane.h |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This idea originated from this blog post on Invoke DSC Resources directly: | |
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/ | |
<# | |
$MOFContents = @' | |
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref | |
{ | |
ResourceID = "[Script]ScriptExample"; | |
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; | |
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import zipfile | |
import io | |
import sys | |
import os, imp | |
import base64 | |
import threading | |
moduleRepo = {} | |
_meta_cache = {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fswatch command | |
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/ | |
Output when event is triggered | |
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}' | |
osquery.results.log output from event. | |
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<array> | |
<dict> | |
<key>name</key> | |
<string>empire rules</string> | |
<key>enabled</key> | |
<true/> | |
<key>eventTypes</key> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function New-InstallUtilBatchFile | |
{ | |
<##> | |
#You must provide an encoded payload using certutil -encode for the InFilePath. | |
#certutil -encode payload.exe payload.txt | |
#For compiling w/ a managed powershell runner | |
# C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:payload.exe payload.cs | |
[CmdletBinding()] | |
param | |
( |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
# New function naming schema: | |
# Verbs: | |
# Get : retrieve full raw data sets | |
# Find : ‘find’ specific data entries in a data set |
NewerOlder