Marcello byt3bl33d3r
🧛
byt3bl33d3r
/ Caddyfile
Last active
October 6, 2023 23:38
Caddyfile reverse proxy example for C2 platforms
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this. | |
| acme_ca https://acme-staging-v02.api.letsencrypt.org/directory | |
| } | |
| (proxy_upstream) { | |
| # Enable access logging to STDOUT | |
| log | |
| # This is our list of naughty client User Agents that we don't want accessing our C2 |
byt3bl33d3r
/ java-ikvm-dotnet
Created
May 31, 2021 19:28
— forked from sixman9/java-ikvm-dotnet
Using IKVM to generate a C# assembly (dll) from a Java jar file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| See http://stackoverflow.com/questions/2947990/using-ikvm-to-convert-a-jar-flying-saucer-xhtmlrenderer | |
| I wanted to use the Flying Saucer Java API in .NET so I tried to use IKVM to convert the Flying Saucer library: | |
| ikvmc core-renderer.jar | |
| For some reason, IKVMC gave me an exe core-renderer.exe so I renamed it to core-renderer.dll, added to my assemblies and hacked away | |
| using java.io; | |
| using java.lang; | |
| using com.lowagie.text; |
byt3bl33d3r
/ Out-CompressedDll.nim
Last active
April 10, 2022 17:33
Compresses, Base-64 encodes and outputs PowerShell code to load a managed dll in memory. Port of the orignal PowerSploit script to Nim.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #[ | |
| Requires the zippy library ("nimble install zippy") | |
| References: | |
| - https://github.com/byt3bl33d3r/SILENTTRINITY/blob/master/silenttrinity/core/teamserver/utils.py#L22 | |
| - https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-CompressedDll.ps1 | |
| ]# | |
| import zippy/[inflate, deflate] | |
| import base64 |
byt3bl33d3r
/ ASR Rules Bypass.vba
Created
April 9, 2021 07:48
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
byt3bl33d3r
/ defender_update_check.cs
Last active
March 6, 2021 15:58
Uses the Windows Update Agent API (WUA API) COM Object to check if there are definition updates available for Windows Defender
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Add a reference to "WUAPI 2.0 Type Library" in Visual Studio | |
| // References: | |
| // - https://github.com/xonv/nagios-net-client/blob/0920114874ecc85fc7ab3a4426e547c9dc63a44a/NscaWinUpdateModule/WindowsUpdate.cs | |
| // - https://docs.microsoft.com/en-us/windows/win32/wua_sdk/portal-client | |
| using System; | |
| using WUApiLib; | |
| namespace WinUpdateTest | |
| { |
byt3bl33d3r
/ google_chat.cna
Created
February 17, 2021 22:23
Cobalt Strike Aggressor script that sends message to Google Chat on key events
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Original script by @Und3rf10w and @vysecurity | |
| # Modded by @byt3bl33d3r for Google Chat | |
| import java.net.URLEncoder; | |
| import java.io.BufferedReader; | |
| import java.io.DataOutputStream; | |
| import java.io.InputStreamReader; | |
| import java.net.HttpURLConnection; | |
| import java.net.URL; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #[ | |
| Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
| License: BSD 3-Clause | |
| AES256-CTR Encryption/Decryption | |
| ]# | |
| import nimcrypto | |
| import nimcrypto/sysrand |
byt3bl33d3r
/ dotnet-runtime-etw.py
Created
December 31, 2020 10:06
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
byt3bl33d3r
/ hookdetector.vba
Created
December 8, 2020 17:45
— forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
byt3bl33d3r
/ eventvwr_crash.py
Created
September 18, 2020 08:12
Crash the Windows Event Log service remotely (needs admin privs)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Crash the Windows Event Log Service remotely, needs Admin privs | |
| # originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r | |
| # | |
| # Once the service crashes 3 times it will not restart for 24 hours | |
| # | |
| # https://github.com/limbenjamin/LogServiceCrash | |
| # https://limbenjamin.com/articles/crash-windows-event-logging-service.html | |
| # | |
| # Needs the impacket library (https://github.com/SecureAuthCorp/impacket) |