Skip to content

Instantly share code, notes, and snippets.

View bryanmcnulty's full-sized avatar
😸

Bryan McNulty bryanmcnulty

😸
63 followers · 88 following
View GitHub Profile
@N7WEra
N7WEra / field-config.yaml
Last active November 30, 2025 18:26
Kitana custom field
- name: awss3
type: regex
regex:
- '[a-zA-Z0-9.-]+\.s3\.amazonaws\.com'
- 's3://([^/]+)'
- '[a-zA-Z0-9.-]+.s3\.[a-zA-Z0-9.-]+\.amazonaws\.com'
- '[a-zA-Z0-9.-]+\.s3-website-[a-z0-9-]+\.amazonaws\.com'
- '[a-zA-Z0-9.-]+\.s3\.amazonaws\.com'
- name: awsapps
@D3Ext
D3Ext / amsi-bypass.md
Last active June 25, 2025 02:06
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@antonioCoco
antonioCoco / TcbElevation.cpp
Last active December 1, 2025 05:25
// TcbElevation - Authors: @splinter_code and @decoder_it
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>
#pragma comment(lib, "Secur32.lib")
void EnableTcbPrivilege(BOOL enforceCheck);
@anvbis
anvbis / pwntools-cheatsheet.md
Last active December 9, 2025 09:12
pwntools-cheatsheet.md
@klezVirus
klezVirus / EtwStartWebClient.cs
Last active October 30, 2025 13:23
A PoC in C# to enable WebClient Programmatically
using System.Runtime.InteropServices;
using System;
/*
* Simple C# PoC to enable WebClient Service Programmatically
* Based on the C++ version from @tirannido (James Forshaw)
* Twitter: https://twitter.com/tiraniddo
* URL: https://www.tiraniddo.dev/2015/03/starting-webclient-service.html
*
* Compile with:
@ClementNerma
ClementNerma / zsh-cheatsheet.md
Last active December 9, 2025 20:54

ZSH CheatSheet

This is a cheat sheet for how to perform various actions to ZSH, which can be tricky to find on the web as the syntax is not intuitive and it is generally not very well-documented.

Strings

Description Syntax
Get the length of a string ${#VARNAME}
Get a single character ${VARNAME[index]}
@xpn
xpn / azuread_decrypt_msol_v2.ps1
Last active December 9, 2025 04:25
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
@cablethief
cablethief / extract_EAP.sh
Last active September 25, 2024 02:04 — forked from singe/create_certs.sh
A simple tshark EAP certificate extractor
#!/bin/sh
# Simple tshark WiFi EAP certificate extractor
# By dominic@sensepost.com
# All rights reserved 2018
if [ ! -x $(which tshark) ]; then
echo "tshark not installed"
exit 0
fi
@atifaziz
atifaziz / Unprotect-ProtectedData.ps1
Created March 31, 2017 06:25
Decrypting DPAPI-protected Base64 data from PowerShell
Add-Type -AssemblyName System.Security;
[Text.Encoding]::ASCII.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String((type -raw (Join-Path $env:USERPROFILE foobar))), $null, 'CurrentUser'))