Oddvar Moe api0cradle
api0cradle
/ cobaltstrike_sa.txt
Last active
December 29, 2021 14:56
— forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
api0cradle
/ Copy-AuthenticodeSignedFile.ps1
Created
November 13, 2019 13:28
— forked from mattifestation/Copy-AuthenticodeSignedFile.ps1
When supplied with an Authenticode-signed PowerShell script, Copy-AuthenticodeSignedFile generates the same signed, validated file but with a different file hash.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Copy-AuthenticodeSignedFile { | |
| <# | |
| .SYNOPSIS | |
| Creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. | |
| .DESCRIPTION | |
| Copy-AuthenticodeSignedFile creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. This is used to bypass application whitelisting hash-based blacklist rules. |
api0cradle
/ windows_hardening.cmd
Created
February 24, 2020 07:29
— forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: | |
| ::####################################################################### | |
| :: | |
| :: Change file associations to protect against common ransomware attacks | |
| :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell | |
| :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) | |
| :: --------------------- | |
| ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" |
api0cradle
/ rbcd_demo.ps1
Created
March 12, 2020 14:42
— forked from HarmJ0y/rbcd_demo.ps1
Resource-based constrained delegation computer DACL takeover demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
api0cradle
/ 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
Created
May 5, 2023 08:09
— forked from JohnLaTwC/38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1
A very interesting DOCX no?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long |
api0cradle
/ check_vulnerabledrivers.ps1
Created
May 19, 2023 14:13
A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list | |
| # Author: Oddvar Moe - @oddvar.moe | |
| $drivers = get-childitem -Path c:\windows\system32\drivers | |
| $web_client = new-object system.net.webclient | |
| $loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") | ConvertFrom-Json | |
| Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count) | |
| foreach ($lol in $loldrivers.KnownVulnerableSamples) | |
| { |
OlderNewer