Skip to content

Files

Latest commit

aa2b8cf · Mar 14, 2024

History

History

lib

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Dec 21, 2023
Dec 23, 2023
Jun 18, 2022
Dec 1, 2023
Jan 16, 2024
Dec 5, 2023
Feb 9, 2024
May 31, 2022
Mar 10, 2024
May 29, 2022
May 29, 2022
Feb 9, 2024
Mar 4, 2023
Mar 14, 2024
Feb 18, 2024
Jun 20, 2022
Feb 16, 2023
May 29, 2022
Dec 29, 2022
Feb 16, 2023
May 31, 2022
Jun 18, 2022
Dec 1, 2023
Feb 3, 2023
May 30, 2022
Dec 16, 2023
Jan 7, 2023

:octocat: RedTeam Database

This repository contains a library of cmdlet's which for one reason or another have NOT been implemented
in any of my tools (redpill,meterpeter), and which can be invoked manually to perform post-exploitation tasks.


:octocat: Disclamer

This repository contains resources written by me or by external developers to help in Red Team engagements.


:octocat: Repository Structure

Directory Name                                         Resource Description
--------------                                         --------------------
Database
        |_ Ams1-Bypass
                      |_ AMSBP.ps1                     Disable AMSI within current process (bxor)
                      |_ Disable-Amsi.ps1              Disable AMSI within current process (un-signed technics)
                      |_ Invoke-Bypass.ps1             Disable AMSI within current process + exec script through bypass
        |_ Ams1-Trigger
                      |_ AmsiTrigger_x64.exe           Hunting for Malicious Strings that triggers AMSI detection
        |_ CertSign_PS1
                      |_ PSscriptSigning.bat           Signs one PS1 script ( certlm.msc - certificate )
                      |_ DeletePSscriptSignning.bat    Delete certificate added by previous script from store
                      |_ Invoke-LazySign.ps1           Script that Sign a Windows binary with a self-signed cert
                      |_ DigitalSignature-Hijack.ps1   Digitally sign all PS1 scripts on the host as Microsoft                      
        |_ Dump-Browser
                      |_ DumpChromePasswords.ps1       Dumps URLs, usernames, and passwords from Chrome
                      |_ HarvestBrowserPasswords.exe   Dumps URLs, usernames, and passwords from major browsers
                      |_ ChromePass.exe                Dumps usernames, passwords from chrome (Invoke-Exclusions.ps1)
        |_ ETWpatch
                      |_ EventK.exe                    Suspend thread in svchost.exe related to event logging
                      |_ Get-Logs.ps1                  Enumerate \ Read \ Delete eventvwr logfiles (ETW)
        |_ EnableAllParentPrivileges
                      |_ EnableAllParentPrivileges.exe Enable All Parent Privileges ( whoami /priv )
        |_ Exfiltration
                      |_ DLLSearch.ps1                 List all DLLs loaded by running\sellected processes
                      |_ DecodeRDPCache.ps1            Reads RDP persistent cache from the cache0001.bin
                      |_ Find-AppLockerLogs.ps1        Look through the AppLocker logs to find processes
                      |_ List-AllMailboxAndPST.ps1     Uses the Outlook COM object to display the data stores 
                      |_ Read-ExcelFile-Using_COM.ps1  Read Outlook excel files sheet using COM object
                      |_ WindowsUpdateLog.ps1          Convert ETL logfiles (WindowsUpdate) into readable data
                      |_ Get-PrefetchListing.ps1       Manage (query \ Delete) prefetch files (.pf)
                      |_ Get-ComputerGeoLocation.ps1   Retrieves the Computer's geographical location
                      |_ eviltree_x64.exe              Search for credentials in files (pass or regex)
                      |_ Invoke-VaultCmd.ps1           Manage Windows Password Vault Items
        |_ Fake-Cmdline
                      |_ Fake-Cmdline.exe              Put any string into the child process Command Line field
        |_ HTTP-Server
                      |_ CaptureServer.ps1             Captute HTTP credentials on local lan (spawns credential box)
                      |_ Start-SimpleHTTPServer.ps1    Simple HTTP pure powershell webserver     
                      |_ wget.vbs                      VBScript to download files from Local Lan
                      |_ Invoke-ShortUrl.ps1           TinyUrl url generator ( dropper URL link )
        |_ LPE
                      |_ PrintNotifyPotato-NET2.exe    Local privilege escalation (admin => Nt Authority\System)
        |_ Misc-CmdLets
                      |_ Open-Directory.ps1            Use GUI to open the sellected directory
                      |_ msgbox.ps1                    Example how to spawn a message box in pure powershell
                      |_ progressbar.ps1               Example how to spawn a progress bar in pure powershell
                      |_ sendkeys.ps1                  Example how to send keyboard presses (keys) to processes
        |_ Out-FileFormat
                      |_ Out-shortcut.ps1              Creates an shortcut that accepts cmdline args to execute.
                      |_ SendToPasteBin.ps1            Get filepath contents and paste it to pastebin.
                      |_ SuperHidden.ps1               Query\Create\Delete super hidden system folders
        |_ Process-Spoofing
                      |_ PPIDSpoof.ps1                 Creates a process as a child of a specified process ID.
                      |_ SelectMyParent.exe            Creates a process as a child of a specified process ID.
                      |_ spoof.exe                     Creates a process as a child of a specified process ID.
                      |_ Mitre-T1202.ps1               MITRE ATT&CK T1202: Indirect Command Execution                      
        |_ Screenshot
                      |_ Screenshot.exe                Capture desktop screenshot ( silent )
        |_ SharpGhosting
                      |_ SharpGhosting.exe             Hidde parent process name from TaskManager displays
        |_ Sign-Executables
                      |_ CarbonCopy.py                 Creates spoofed certificate of online website to sign PE
                      |_ sigthief.py                   Sign an PE for AV Evasion by cloning other PE certificate
                      |_ SigFlip.exe                   A tool to sign an Executable (PE) for AV Evasion.
        |_ Stream-TargetDesktop
                      |_ Stream-TargetDesktop.ps1      Sream target desktop live (attacker: firefox with MJPEG)   
        |_ String-Obfuscation
                      |_ enc-rot13.ps1                 Encrypt or decrypt strings using ROT13 cipher.
                      |_ Out-EncodedSpecialCharOnlyCommand.ps1 Generates Special-Character-Only encoded payload
                      |_ obfuscator.bat                Obfuscate batch scripts
                      |_ vbs_obfuscator.vbs            Obfuscate VBS scripts
                      |_ Encrypt-String.ps1            Encrypt commands\scripts using a secret key
                      |_ Convert-ROT47.ps1             Rotate ascii chars by nº places (Caesar cipher - rot)
        |_ WD-Bypass
                      |_ Invoke-Exclusions.ps1         Add exclusions (Set-MpPreferences) + Download\Execute url cmdlet
        |_ WebCam-Capture
                      |_ WebCam.py                     Capture video (AVI) using default target webcam
        |_ winpmem-mini
                      |_ winpmem_mini_x86.exe          Dumps raw image process data to disk