WBGlIl
jfmaes
/ DInjectQueuerAPC.cs
Created
November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases | |
| 2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a | |
| 3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code. | |
| 4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file. | |
| 6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs" | |
chryzsh
/ powershell-uac-always-notify-bypass.ps1
Created
April 28, 2019 22:06
uac bypass for always notify (works on 1903)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $assemblies=( | |
| "System" | |
| ) | |
| $source=@" | |
| using System; | |
| using Microsoft.Win32; | |
| using System.Diagnostics; | |
| namespace Helloworld |
chryzsh
/ Invoke-ReflectiveInjection1803.ps1
Created
October 24, 2018 17:05
Got some help fixing reflective injection to work on 1803 https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-ReflectivePEInjection | |
| { | |
| <# | |
| .SYNOPSIS | |
| This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process, | |
| or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, | |
| please lead the Notes section (GENERAL NOTES) for information on how to use them. | |
| 1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. |
HarmJ0y
/ cobaltstrike_sa.txt
Created
September 28, 2018 22:22
Cobalt Strike Situational Awareness Commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-DCSync | |
| { | |
| <# | |
| .SYNOPSIS | |
| Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
| Author: @monoxgas | |
| Improved by: @harmj0y |