Skip to content

Instantly share code, notes, and snippets.

View 2xyo's full-sized avatar

2*yo 2xyo

55 followers · 114 following
  • Personnal
  • France
View GitHub Profile
@2xyo
2xyo / 2.0.txt
Last active May 12, 2020 19:18
$ stix2_validator xfe-collection_e6d351c8e832b560eb84be0f89079285.json --version 2.0
================================================================================
[-] Results for: xfe-collection_e6d351c8e832b560eb84be0f89079285.json
[X] STIX JSON: Invalid
[!] Warning: bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: {101} Custom property 'custom_objects' should have a type that starts with 'x_' followed by a source unique identifier (like a domain name with dots replaced by hyphen), a hyphen and then the name.
[!] Warning: indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8: {214} labels contains a value not in the indicator-label-ov vocabulary.
[!] Warning: indicator--268ee28f-bfe9-164e-e626-ea46d24687f1: {214} labels contains a value not in the indicator-label-ov vocabulary.
[X] bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: objects[0]: {'id': 'indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8', 'type': 'indicator', 'created': '2020-05-05T13:09:07.912Z', 'modified': '2020-05-05T13:09:07.912Z', 'lab
@jipegit
jipegit / NtfsLastAccessUpdate_rules.md
Last active April 3, 2024 20:08
Ntfs Last Access Update rules by Windows version

NTFS Last Access Update rules

The table below contains the default/most probable observed behaviour depending on Windows version. Be sure to read the notes regarding Windows 7 and Windows 10.

Always verify the value of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate during triage.

NTFS Last Access Update
XP ✔️
@xpn
xpn / PCMPBNMBAO_x86_poc.vba
Created October 26, 2019 23:31
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro
Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
@wdormann
wdormann / acltest.ps1
Created May 1, 2018 15:20
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
Break
}
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
@mojobojo
mojobojo / helloworld.cpp
Last active April 21, 2019 06:07
// Clearly the best hello world out there.
#define _ATL_ATTRIBUTES 1
#define _WINDLL 1
#include <atlbase.h>
#include <atlcom.h>
#include <string.h>
#include <comdef.h>
#include <string>
#include <fstream>
#include <iostream>
@mgeeky
mgeeky / Various-Macro-Based-RCEs.md
Last active January 14, 2024 16:43
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@rjsmitre
rjsmitre / imddos.json
Created July 19, 2017 17:51
Damballa IMDDOS Threat Modeling Exercise
{
"type": "bundle",
"id": "bundle--9f0725cb-4bc3-47c3-aba6-99cb97ba4f52",
"spec_version": "2.0",
"objects": [
{
"type": "marking-definition",
"id": "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f",
"created": "2017-07-18T22:00:30.404Z",
"definition_type": "statement",
anonymous
anonymous / psx.py
Created November 13, 2016 14:32
PowerShell decoder by @JohnLaTwC
## hacked together by @JohnLaTwC, Nov 2016, v 0.5
## This script attempts to decode common PowerShell encoded scripts. This version handles:
## * base64 data which encode unicode, gzip, or deflate encoded strings
## * it can operate on a file or stdin
## * it can run recursively in the event of multiple layers
## With apologies to @Lee_Holmes for using Python instead of PowerShell
##
import sys
import zlib
import re
@scumjr
scumjr / dirtycow-mem.c
Created October 21, 2016 15:09
/*
* CVE-2016-5195 dirtypoc
*
* This PoC is memory only and doesn't write anything on the filesystem.
* /!\ Beware, it triggers a kernel crash a few minutes.
*
* gcc -Wall -o dirtycow-mem dirtycow-mem.c -ldl -lpthread
*/
#define _GNU_SOURCE
@grigorescu
grigorescu / README.md
Last active November 6, 2020 02:34
breakpoint_to_pcap

breakpoint_to_pcap

Overview

Given an input PCAP and a location in a Bro script, this script will filter the PCAP into a new file, which contains only the connections that visited that script location. This script can help filter a large PCAP to narrow down problematic connections, such as protocol violations, weirds, etc.

Example