Skip to content

Instantly share code, notes, and snippets.

View mvelazc0's full-sized avatar

mvelazco mvelazc0

View GitHub Profile
@mvelazc0
mvelazc0 / InjectDonut.cs
Last active October 12, 2020 23:45
Leverages donut.exe (https://github.com/TheWover/donut) to generate position independant shellcode and injects it into a process using CreateRemoteThread. In this POC, notepad.exe
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
namespace InjectDonut
{
public class Program
{
@mvelazc0
mvelazc0 / GetSystem.cs
Last active December 7, 2020 15:42
Escalates to SYSTEM leveraging OpenProcess, OpenProcessToken and ImpersonateLoggedOnUser. https://attack.mitre.org/beta/techniques/T1134/. Needs to run as a High Integrity proc. Needs SeDebugPrivilege
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
//Based on https://0x00-0x00.github.io/research/2018/10/17/Windows-API-and-Impersonation-Part1.html
namespace GetSystem
{
class Program
{
@mvelazc0
mvelazc0 / GetAndRun.cs
Last active October 4, 2020 02:44
Downloads a XOR encrypted assembly payload (Payload.cs) and executes the "Run" method using .NET reflection
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Reflection;
using System.Text;
namespace GetAndRun
{
@mvelazc0
mvelazc0 / GetAndRunBlockDlls.cs
Last active October 12, 2020 23:45
Uses the Blockdlls technique to execute https://gist.github.com/mvelazc0/4a56e1829ef3bd2784b6f06e35cb0ff2 as a child process.
using System;
using System.IO;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace GetAndRunBlockDlls
{
class Program
{
"username": "psharp",
"domain": "domain",
"dc": "192.168.1.2",
"sleep": 1,
"playbooks": [
{
"name": "Adversary Simulation Playbook 1",
"host": "win10-1",
"scoutfpath": "C:\\Installer.exe",
general:
cloud_provider: aws
attack_range_password: AW^@#^%&^#@##
use_prebuilt_images_with_packer: '0'
key_name: yourkey-001423
ip_whitelist: 8.8.8.8 #your public ip address
attack_range_name: test-range
aws:
private_key_path: /Users/your/key-001423.key
region: us-west-2
@mvelazc0
mvelazc0 / CreateSharesOnDomainComputers.ps1
Last active October 21, 2023 03:11
Queries AD to identify computers and creates three network shares with 'Everyone' permission on the identified computers. Written for network share enumeration simulations.
Import-Module ActiveDirectory
$shareNames = @("Backup", "WebServer", "Finance", "HR", "Logs", "Database", "Reports", "Media", "Temp", "Archive", "Projects", "Dev", "Testing", "Marketing", "Sales", "Support", "Operations", "Engineering", "QA", "Legal", "Compliance", "Audit", "Design", "Research", "Training", "Analytics", "Security", "Content", "Maintenance", "Migration", "Production", "Inventory", "Services", "Retail", "Consulting", "Governance", "Planning", "Documentation", "Management", "Metrics", "Recruitment", "Networking", "Administration", "Collaboration", "Integration", "Automation", "Monitoring", "Facilities")
$sharePath = "C:\Data"
$dateCutoff = (Get-Date).AddDays(-10)
$computers = Get-ADComputer -Filter { LastLogonTimestamp -gt $dateCutoff } | Select-Object -ExpandProperty DNSHostName
foreach ($computer in $computers) {
Write-Host "Connecting to $computer..."
@mvelazc0
mvelazc0 / read_email_ews.py
Last active April 9, 2024 20:33
Read M365 emails using the Exchange Web Services API
import requests
from xml.etree import ElementTree as ET
# https://github.com/3gstudent/Homework-of-Python/blob/master/ewsManage.py
# Authentication details
client_id = ''
client_secret = ''
tenant_id = ''
mailbox = '[email protected]'
@mvelazc0
mvelazc0 / read_email_graph.py
Created April 9, 2024 20:33
Read M365 emails using the Microsoft Grapi API
import requests
tenant_id = ''
client_id = ''
client_secret = ''
scope = 'https://graph.microsoft.com/.default'
token_url = f'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token'
token_data = {
@mvelazc0
mvelazc0 / create_inbox_rule_graph.py
Created April 12, 2024 15:15
Create an inbox rule on an M365 mailbox using the Microsoft Grapi API
import requests
tenant_id = ''
client_id = ''
client_secret = ''
scope = 'https://graph.microsoft.com/.default'
token_url = f'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token'
token_data = {