From b7c7da7b4e735f3d7886d89fca91ee197871c595 Mon Sep 17 00:00:00 2001 From: mgeeky Date: Thu, 7 May 2020 01:41:48 +0200 Subject: [PATCH] Added mention of my SharpWMI fork --- .gitmodules | 3 +++ red-teaming/README.md | 5 +++++ red-teaming/SharpWMI | 1 + 3 files changed, 9 insertions(+) create mode 160000 red-teaming/SharpWMI diff --git a/.gitmodules b/.gitmodules index 3b42162..e261a37 100644 --- a/.gitmodules +++ b/.gitmodules @@ -43,3 +43,6 @@ [submodule "windows/PE-library"] path = windows/PE-library url = https://github.com/mgeeky/PE-library +[submodule "red-teaming/SharpWMI"] + path = red-teaming/SharpWMI + url = https://github.com/mgeeky/SharpWMI diff --git a/red-teaming/README.md b/red-teaming/README.md index 4ae0bc6..ab5982e 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -105,6 +105,9 @@ amsiInitFailed *Warning:* This scriptlet should be launched first, before `Disable-Amsi.ps1` for better OpSec experience. +- **`Download-Cradles-Oneliners.md`** - Various Powershell Download Cradles purposed as one-liners ([gist](https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38)) + + - **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`. **WARNING:** This script is compatible with newer version of PowerView (coming from dev branch as of 2018), @@ -331,6 +334,8 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt - **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9)) +- [**`SharpWMI`**](https://github.com/mgeeky/SharpWMI) - This implementation is a refurbished and enhanced version of original SharpWMI by @harmj0y that adds some more flexibility for working with malicious VBS scripts, AMSI evasion, file upload purely via WMI and makes it possible to return output from WMI remotely executed commands. Initially submitted as a [Pull Request #3](https://github.com/GhostPack/SharpWMI/pull/3) to the original repo of that project, however unless it's merged there - will pin my fork here for accountability + - **`Stracciatella`** - Powershell runspace from within C# (aka `SharpPick` technique) with AMSI and Script Block Logging disabled for your pleasure. * This program provides functionality to decode passed parameters on the fly, using Base64 and Xor single-byte decode (also combined) diff --git a/red-teaming/SharpWMI b/red-teaming/SharpWMI new file mode 160000 index 0000000..09b546d --- /dev/null +++ b/red-teaming/SharpWMI @@ -0,0 +1 @@ +Subproject commit 09b546d8543e0211f768ac8ee0e47547e3f44822