Skip to content

Instantly share code, notes, and snippets.

View ConsciousHacker's full-sized avatar

Chris "Lopi" Spehn ConsciousHacker

View GitHub Profile
@ConsciousHacker
ConsciousHacker / README.md
Created September 1, 2020 20:58 — forked from byt3bl33d3r/README.md
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server
@ConsciousHacker
ConsciousHacker / minimal-defender-bypass.profile
Created January 2, 2022 21:20 — forked from tothi/minimal-defender-bypass.profile
Minimal Cobalt Strike C2 Profile for Bypassing Defender
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works
set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";
stage {
set allocator "MapViewOfFile";
set name "notevil.dll";
@ConsciousHacker
ConsciousHacker / Deploy-EnforcedWDACScanPolicy.ps1
Created March 22, 2024 16:30 — forked from bohops/Deploy-EnforcedWDACScanPolicy.ps1
Restrictive (with caveats) WDAC Policy for research purposes
Write-Host "
==============================================================================================================================
*Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI)
*Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed).
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy
*System reboots when PowerShell script finishes
*Run as a privileged user in high integrity
*To remove enforcement, comment out enforce line