Jump to content

Github spots to get payloads to play with


PoSHMagiC0de

Recommended Posts

So, some people got the same idea.  Out there on github are all kinds of payloads you can play with that do some crazy things  Here are some links to some.

First one is Powersploit.  Its been talked about all over.  This is a good starter.  Also contains some good utility scripts for modifying your scripts.

https://github.com/PowerShellMafia/PowerSploit

Next is my favorite.  Empire.  I am going to link the stable branch but under the 2.0 branch you can find python payloads as well for your nix and OSX needs.

Root Project:

https://github.com/EmpireProject/Empire

Subfolder with all the Powershell stuff:

https://github.com/EmpireProject/Empire/tree/master/data/module_source

 

And just for kicks, hey Dav-ee, look, an agent.

https://github.com/EmpireProject/Empire/tree/master/data/agent

I couldn't help it.  That agent is way beyond mine.  Of course mine isn't design to communicate across the internet so securing connection not a big deal.

Link to comment
Share on other sites

Here is a little snippet I made into a function to see if your current Powershell instance is high integrity or not (if your Powershell process that is currently running has bypassed UAC.).  At this present time I cannot tell you the usefulness of this in the BB world except to limit scripts if the process if not UAC bypassed but may come in handy.

function Get-isHighIntegrity
{
    $isAdmin = $false
	#If the process is running as System then we are in a high integrity process.
    if(([Environment]::UserName).ToLower() -eq 'system') {
        $isAdmin = $true
    }else{
        # otherwise check the token groups
        $isadmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')
    }
    return $isAdmin
}

I believe this is a snippet from Empire's agent.  My old way was a huge C# routine to check pointers which looks to only be needed for processes you are not in.  This function returns a Boolean true if it is high integrity or false if not.

Link to comment
Share on other sites

2 hours ago, rottingsun said:

The latest Empire stagers actually have a bunny target. :grin:

Yeah, I was speaking with the author on Github through his push request about it.  Was discussing if the way he did it was compatible with all versions of the bunny.  1.0 and up after I suggested making it for latest version.  He had a better point about making it just work across the board.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...