Skip to content

Instantly share code, notes, and snippets.

View jymcheong's full-sized avatar

Jym Cheong jymcheong

66 followers · 68 following
View GitHub Profile
@jymcheong
jymcheong / generate_autocomplete_class.py
Last active September 5, 2017 01:56
Empire Auto-Complete Helper Class Generator
import os
from lib.common import empire
# FakeMenu class to pass obj to function later
class FakeMenu(object):
conn = None
installPath = os.getcwd()
# main = empire.MainMenu(args=args) is a blocking call
# we need a FakeMenu to load modules.
@jymcheong
jymcheong / empireMod
Last active June 3, 2020 21:52
Modified Empire Loader to have both RESTful API & full console
#!/usr/bin/env python
import sqlite3, argparse, sys, argparse, logging, json, string
import os, re, time, signal, copy, base64, pickle
from flask import Flask, request, jsonify, make_response, abort, url_for
from time import localtime, strftime, sleep
from OpenSSL import SSL
from Crypto.Random import random
import ssl
# Empire imports
@jymcheong
jymcheong / blah.sct
Created September 18, 2017 08:24
blah.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Win32COMDebug"
progid="Win32COMDebug"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
<script language="JScript">
<![CDATA[
@jymcheong
jymcheong / server.py
Created September 27, 2017 08:13
Quite python http server to serve ClickOnce deployment files
import SimpleHTTPServer
import SocketServer
PORT = 8000
class Handler(SimpleHTTPServer.SimpleHTTPRequestHandler):
pass
Handler.extensions_map['.shtml'] = 'text/html'
Handler.extensions_map['.application'] = 'application/x-ms-application'
@jymcheong
jymcheong / EmpireCOMPosh.cs
Created October 5, 2017 08:25
Allows PowerShell Commands To Execute via JavaScript via COM. PowerShell without PowerShell.exe
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
@jymcheong
jymcheong / BadRabbit_hole.ps1
Last active October 25, 2017 06:37
Vaccine for BadRabbit... credits to Cybereason https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware
$files = @("cscc.dat", "infpub.dat")
$files | foreach {
write-host $env:windir\$_
echo "" > $env:windir\$_
$acl = Get-Acl $env:windir\$_
$acl.SetAccessRuleProtection($true,$true) # removes inheritence
$acl | Set-Acl
$acl = Get-Acl $env:windir\$_
$acl.Access | %{$acl.RemoveAccessRule($_)} # removes rules
@jymcheong
jymcheong / Get-Doppelgangers.ps1
Created December 31, 2017 09:22 — forked from dezhub/Get-Doppelgangers.ps1
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@jymcheong
jymcheong / program.cs
Last active January 9, 2018 07:59
Console test harness to get logical drive mount events
using System;
using System.Management;
using Newtonsoft.Json;
using System.Collections.Generic;
using System.Diagnostics;
namespace ConsoleDetectDriveMount
{
class DriveDetails
{
@jymcheong
jymcheong / program.cs
Created January 9, 2018 08:02
Console test harness to get Physical Address to IP addresses (v4 & 6) mapping
using System;
using System.Collections.Generic;
using System.Net.NetworkInformation;
using Newtonsoft.Json;
namespace ConsoleMacAddressTest
{
class NetworkAddressMappings
{
public string PhysicalAddress
@jymcheong
jymcheong / SocketConnection.cs
Created January 23, 2018 02:24
Socket Connection Managed Wrapper
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Linq;
using System.Net;
using System.Diagnostics;
namespace ConsoleApplication2
{