Skip to content

Instantly share code, notes, and snippets.

View 2XXE-SRA's full-sized avatar

2XXE (SRA) 2XXE-SRA

5 followers · 0 following
View GitHub Profile
@2XXE-SRA
2XXE-SRA / ag.py
Created September 9, 2021 21:08
call Cobalt Strike headless Aggressor from Python using JPype1
# pip install JPype1
import jpype
import jpype.imports
from jpype.types import *
import os
os.chdir("<cobaltstrike directory>") # required for auth file lookup
jpype.startJVM()
jpype.addClassPath("<cobaltstrike directory>/cobaltstrike.jar")
@2XXE-SRA
2XXE-SRA / newsblog.js
Created July 13, 2021 18:49
MuddyWater newsblog.js
Payload used by MuddyWater as detailed here: https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html
Replace "http://127.0.0.1:8000/cmd" with link to page containing command
Command page should be something like: "c:\windows\system32\cmd.exe /c calc.exe"
@2XXE-SRA
2XXE-SRA / inject.cpp
Last active May 5, 2022 15:14
reflective DLL injection via resource section
//modified from: https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
#include <iostream>
#include <windows.h>
#include "resource.h"
typedef struct BASE_RELOCATION_BLOCK {
DWORD PageAddress;
DWORD BlockSize;
} BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK;
@2XXE-SRA
2XXE-SRA / coldencryptor.cs
Last active December 27, 2023 15:30
poc ransomware like script. generates then encrypts files
using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
using Microsoft.Win32;
public class Crypto
@2XXE-SRA
2XXE-SRA / spn.ps1
Last active March 23, 2021 19:51
PowerShell function to set a read ACL on an SPN
# adapted from https://stackoverflow.com/a/6291111
#
# TargetObject = account with SPN
# $TargeObject = "LDAP://CN=foo,CN=Users,DC=contoso,DC=local"
# Identity = identity to be put in ACE
# $Identity = [security.principal.ntaccount]"contoso\user"
# $Identity = [security.principal.securityidentified]"S-1-1-0"
# Deny = deny or allow access
Function Set-SpnPermission {
param(
@2XXE-SRA
2XXE-SRA / row.py
Created June 24, 2020 16:12
Python dict to Spark Row in Databricks
from pyspark.sql import Row
# mydict is something like {"abc":"def", "ghi":"jkl"}
computer = Row(*mydict.keys())
rows = [computer(*mydict.values())]
display(spark.createDataFrame(row))
@2XXE-SRA
2XXE-SRA / README.md
Last active May 20, 2020 21:02
Convert Evtx to JSON for Mordor

Convert .evtx file to Mordor

Setup

Download Winlogbeat and place in same directory as script or in $PATH

Usage

PS&gt;
@2XXE-SRA
2XXE-SRA / sddl.py
Last active April 29, 2020 15:20
modified from: https://github.com/tojo2k/pysddl/blob/master/sddl.py/sddl.py
"""A module for translating and manipulating SDDL strings.
SDDL strings are used by Microsoft to describe ACLs as described in
http://msdn.microsoft.com/en-us/library/aa379567.aspx.
Example: D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)
"""
__author__ = 'tojo2000@tojo2000.com (Tim Johnson)'
@2XXE-SRA
2XXE-SRA / 2.exe
Last active June 25, 2020 13:23
misc remote resources
.
@2XXE-SRA
2XXE-SRA / netrelease.ps1
Last active May 27, 2021 13:53
Add user to LanmanServer SrvsvcSessionInfo DACL, allowing them to perform NetSessionEnum (e.g. NetSess, BloodHound)
# based on NetCease: https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
# can be deployed on a per-host basis using this script - e.g. via something like SCCM
# or, once deployed to one host, can be deployed via GPO Registry preferences by copying the set registry value
# (lanmanserver still needs to be restarted when done this way)
# see: https://adsecurity.org/?p=3299 -> Disable Windows Legacy & Typically Unused Features -> Disable Net Session Enumeration (NetCease)
# constants
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
$name = "SrvsvcSessionInfo"