I hereby claim:
- I am xorrior on github.
- I am xorrior (https://keybase.io/xorrior) on keybase.
- I have a public key whose fingerprint is A086 24A4 D702 0EAE FCEC 139D 56BA 7C93 A848 D2F7
To claim this, I am signing this object:
Chris Ross xorrior
xorrior
/ keybase.md
Last active
February 9, 2016 21:59
xorrior
/ wmic_cmds.txt
Last active
April 16, 2025 01:36
Useful Wmic queries for host and domain enumeration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct |
xorrior
/ New-InstallUtilBatchFile.ps1
Created
October 27, 2016 14:13
Generate InstallUtil payload within batch file for delivery
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-InstallUtilBatchFile | |
| { | |
| <##> | |
| #You must provide an encoded payload using certutil -encode for the InFilePath. | |
| #certutil -encode payload.exe payload.txt | |
| #For compiling w/ a managed powershell runner | |
| # C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:payload.exe payload.cs | |
| [CmdletBinding()] | |
| param | |
| ( |
xorrior
/ New-RegSvr32BatchFile.ps1
Created
October 28, 2016 15:03
Generate a batch file to execute a dll with regsvr32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-RegSvr32BatchFile | |
| { | |
| <# | |
| .SYNOPSIS | |
| Generates a batch file which will contain a certutil encoded, cab compressed payload. | |
| .DESCRIPTION | |
| The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want. | |
| Create payload: |
xorrior
/ New-CplBatchFile.ps1
Last active
September 20, 2017 12:15
Generate Batch file for cpl file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-CplBatchFile | |
| { | |
| <# | |
| .SYNOPSIS | |
| Generates a batch file which will contain a certutil encoded, cab compressed payload. | |
| .DESCRIPTION | |
| The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want. | |
| Create payload: |
xorrior
/ pshell_template_embedded_script.xml
Created
December 20, 2016 14:45
MSBuild Powershell Script XML template
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml --> | |
| <!-- Author: Casey Smith, Twitter: @subTee --> | |
| <!-- License: BSD 3-Clause --> | |
| <PropertyGroup> | |
| <FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName> | |
| <Cmd Condition="'$(Cmd)' == ''">None</Cmd> | |
| </PropertyGroup> | |
| <Target Name="Hello"> |
xorrior
/ PELoader.cs
Created
July 12, 2017 01:54
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.IO.Compression; | |
| using System.Text; | |
| using System.Collections.Generic; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
xorrior
/ LoadMethodScanner.ps1
Created
August 11, 2017 13:04
— forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| # Load dnlib with Add-Type first | |
| # dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
| # Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
| filter Get-AssemblyLoadReference { | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
| [Alias('FullName')] | |
| [String] | |
| [ValidateNotNullOrEmpty()] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import zipfile | |
| import io | |
| import sys | |
| import os, imp | |
| import base64 | |
| import threading | |
| moduleRepo = {} | |
| _meta_cache = {} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <array> | |
| <dict> | |
| <key>name</key> | |
| <string>sample rule</string> | |
| <key>enabled</key> | |
| <true/> | |
| <key>eventTypes</key> |
OlderNewer