nullbind

<Sysmon schemaversion="4.81">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <DnsLookup>False</DnsLookup>
    <CheckRevocation>False</CheckRevocation>
    <ArchiveDirectory>sysmon</ArchiveDirectory>  
    <EventFiltering>
        <!--Event ID 1: Process creation-->
        <ProcessCreate onmatch="exclude"></ProcessCreate>
        <!--Event ID 2: A process changed a file creation time-->
        <FileCreateTime onmatch="exclude"></FileCreateTime>

nullbind

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />

nullbind

# Setup native functions so they can be called through c#
$win32 = @"
using System.Runtime.InteropServices;
using System;

public class Win32 {


[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

nullbind

using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
using System.Runtime.InteropServices;
using System.Collections.Generic;

// -------------------------------------------------------------------------
// Instructions for compiling DLL and using via PowerShell on the fly
// -------------------------------------------------------------------------

nullbind

<#
        File: Crypt-It.ps1
        Author: Scott Sutherland (@_nullbind), NetSPI - 2021
        Version: 1.1
        Description: The Crypt-It function provide the ability to encrypt/decrypt data and files using AES password based and public/private key encryption.
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None

        TODO

nullbind

# -------------------------------------------
# Function: Get-DomainInfoADPS
# Author: Scott Sutherland (@_nullbind), NetSPI
# Version: 1.7
# This script can be used to dump interesting
# information from Active Directory.
# This function requires the Active Directory 
# PowerShell Module, but the script supports
# loading it from bytes in the file.

nullbind

  
/*
 AppDomain Hijacking Execution Method
 Payload: Inveight Wrapper
 Description: This can be used to run Inveigh through appdomain hijacking.
 Mitre ATT&CK ID: T1038
 Author: Kevin Robertson - Inveigh, Scott Sutherland - Wrapper
 Credits: Based on techniques by Casey Smith.
 
 Execution Option: Config File

nullbind

function Get-DomainObject
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $false,
        HelpMessage = 'Domain user to authenticate with domain\user.')]
        [string]$Username,

        [Parameter(Mandatory = $false,
        HelpMessage = 'Domain password to authenticate with domain\user.')]

nullbind

#--------------------------------------
# Function: Get-SMBShareInventory
#--------------------------------------
# Author: Scott Sutherland, 2020 NetSPI
# References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. 

function Get-SMBShareInventory
{    
	<#
            .SYNOPSIS

nullbind

# Work in progress
# Automation goals 
# 1 enumeration HTTP proxy configurations on Windows and AD domain joined systems
# 2 parse the proxies 
# 3 test for unauthenticated outbound internet access.
# 4 produce inventory of available proxies and if auth is requires (proxy_url, proxy_port, proxy_source, authentication_required)

# ----------------------------------
#  Get-HttpProxyInfo
# ----------------------------------