ChoiSG’s gists

ChoiSG / bullyhunter.sh

Created April 17, 2019 17:21

Catch all the bullies!

	#!/bin/bash

	# author: choi
	# Note: There is a shorter version coming. IRSEC forces members to only
	# type their scripts, so I'll be making a shorter version of this.
	# Description: Bullyhunter downloads LiME and volatility, which "maybe" helps
	# to track down the already implemented rookit. Best of luck.
	#
	#
	# if you are lost

ChoiSG / Parse-Mimikatz.ps1

Created March 11, 2020 21:15

Parsing mimikatz output - simplified

	# Author: Will Schroeder (https://github.com/PowerShellEmpire/PowerTools/blob/master/PewPewPew/Invoke-MassMimikatz.ps1)

	# modification: choisg - Very little modification has been done to simplify the output
	# helper to parse out Mimikatz output
	function Parse-Mimikatz {

	[CmdletBinding()]
	param(
	[string]$raw
	)

ChoiSG / httpgrunt_amsibypass.cs

Last active March 16, 2022 23:02

httpgrunt with amsi bypass

	// This is a Covenant Template file. Go to Covenant ==> Template ==> GruntHTTP ==> Stager Code
	// and copy/paste this.

	using System;
	using System.Net;
	using System.Linq;
	using System.Text;
	using System.Text.RegularExpressions;
	using System.IO.Pipes;
	using System.Reflection;

ChoiSG / gist:15405f45d3371a4df5a3c0dc579bdd28

Last active October 15, 2020 18:11

testo.c

	#include <stdio.h>
	#include <time.h>
	#include <string.h>

	int main(){

	printf("Opening blahblahblah\n");

	int n, a = 0;
	char psy[20];

ChoiSG / converToUUID.py

Last active September 28, 2023 10:28

Simple python script to convert shellcode to UUID String

	"""
	Created for : https://blog.sunggwanchoi.com/eng-uuid-shellcode-execution/
	Repo: https://github.com/ChoiSG/UuidShellcodeExec
	"""
	import uuid

	def convertToUUID(shellcode):
	# If shellcode is not in multiples of 16, then add some nullbytes at the end
	if len(shellcode) % 16 != 0:
	print("[-] Shellcode's length not multiplies of 16 bytes")

ChoiSG / execute_assembly_bin.nim

Last active February 4, 2022 16:13

testnim for Invoke-ReflectivePEInjection

	#[
	Author: Marcello Salvati, Twitter: @byt3bl33d3r
	License: BSD 3-Clause
	I still can't believe this was added directly in the Winim library. Huge props to the author of Winim for this (khchen), really great stuff.
	Make sure you have Winim >=3.6.0 installed. If in doubt do a `nimble install winim`
	Also see https://github.com/khchen/winim/issues/63 for an amazing pro-tip from the author of Winim in order to determine the marshalling type of .NET objects.
	References:
	- https://github.com/khchen/winim/blob/master/examples/clr/usage_demo2.nim
	]#

ChoiSG / stagezero.cs

Last active March 18, 2022 21:01

stage zero using dinvoke to inject donut'ed covenant grunt

	using System;
	using System.Runtime.InteropServices;
	using System.Diagnostics;
	using DynamicInvoke = DInvoke.DynamicInvoke;

	// Install DInvoke, Fody, and Costura Fody through Nuget

	namespace stagezero
	{
	class Program

ChoiSG / HTTPGruntAmsiBypass.cs

Last active March 17, 2022 20:16

AMSI Bypass HTTP Grunt

	using System;
	using System.Net;
	using System.Linq;
	using System.Text;
	using System.Text.RegularExpressions;
	using System.IO.Pipes;
	using System.Reflection;
	using System.Collections.Generic;
	using System.Security.Cryptography;
	using System.Runtime.InteropServices; // For PInvoke

ChoiSG / hooktester.cs

Created May 7, 2021 01:16

basic process injector that will get caught by SylantStrike (https://github.com/CCob/SylantStrike)

	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Runtime.InteropServices;
	using System.Diagnostics;
	using System.Text;

	namespace hooktester
	{
	class Program

ChoiSG / dinvokeSyscall.cs

Created May 7, 2021 18:37

dinvoke with syscall - created for blog post

	using System;
	using DInvoke;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using DynamicInvoke = DInvoke.DynamicInvoke;
	using Data = DInvoke.Data;

	namespace dinvokeSyscall
	{
	class Program

Choi ChoiSG