Chris "Lopi" Spehn ConsciousHacker
rasta-mouse
/ PPID Spoof & BlockDLLs
Last active
April 1, 2025 22:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
tothi
/ minimal-defender-bypass.profile
Last active
April 1, 2025 22:38
Minimal Cobalt Strike C2 Profile for Bypassing Defender
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures) | |
| # as stage0, remote injecting a thread into a suspended process works | |
| set host_stage "false"; | |
| set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"; | |
| set sleeptime "10000"; | |
| stage { | |
| set allocator "MapViewOfFile"; | |
| set name "notevil.dll"; |
bohops
/ Deploy-EnforcedWDACScanPolicy.ps1
Last active
May 17, 2024 01:05
Restrictive (with caveats) WDAC Policy for research purposes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host " | |
| ============================================================================================================================== | |
| *Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI) | |
| *Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed). | |
| *For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy | |
| *System reboots when PowerShell script finishes | |
| *Run as a privileged user in high integrity | |
| *To remove enforcement, comment out enforce line |
ConsciousHacker
/ Deploy-EnforcedWDACScanPolicy.ps1
Created
March 22, 2024 16:30
— forked from bohops/Deploy-EnforcedWDACScanPolicy.ps1
Restrictive (with caveats) WDAC Policy for research purposes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host " | |
| ============================================================================================================================== | |
| *Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI) | |
| *Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed). | |
| *For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy | |
| *System reboots when PowerShell script finishes | |
| *Run as a privileged user in high integrity | |
| *To remove enforcement, comment out enforce line |
OlderNewer