This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-UEFIDatabaseSigner { | |
<# | |
.SYNOPSIS | |
Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders. | |
.DESCRIPTION | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdlib.h> | |
#include <stdio.h> | |
#include <string.h> | |
#include <pthread.h> | |
#include <sys/mman.h> | |
#include <IOKit/IOKitLib.h> | |
#include <CoreFoundation/CFPropertyList.h> | |
const char* kMyDriversIOKitClassName = "io_oooverflow_IPwnKit"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
StorageUsage.dll,GetStorageUsageInfo | |
acmigration.dll,ApplyMigrationShims | |
acproxy.DLL,PerformAutochkOperations | |
ppioobe.dll,setupcalendaraccountforuser | |
edgehtml.dll,#125 | |
edgehtml.dll,#133 | |
davclnt.dll,davsetcookie | |
appxdeploymentextensions.onecore.dll,shellrefresh | |
pla.dll,plahost | |
aeinv.dll,updatesoftwareinventory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller | |
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH::: | |
# ./check_hashes.py <hash_dump> | |
import sys | |
hashes = {} | |
with open(sys.argv[1]) as infile: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Author: Matthew Graeber (@mattifestation) | |
$Epoch = Get-Date '01/01/1970' | |
# Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/ | |
$StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName | |
$TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone) | |
# Parse out all the LogonGUID fields for sysmon ProcessCreate events | |
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Written by Frans Rosén (twitter.com/fransrosen) | |
_debug="$2" #turn on debug | |
_timeout="20" | |
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
_aws_key="AKIA..." | |
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import sys | |
import logging | |
import pefile | |
import ucutils | |
import unicorn | |
import capstone | |
import argparse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter Get-PEFeature { | |
<# | |
.SYNOPSIS | |
Retrieves key features from PE files that can be used to build detections. | |
.DESCRIPTION | |
Get-PEFeature extracts key features of PE files that are relevant to building detections. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package djb2 | |
// For when you ever need to implement a dictionary hash function, | |
// that's good enough, simple and fast. | |
// | |
// WARNING: | |
// Not cryptographicly secure! | |
// | |
// Source: https://en.wikipedia.org/wiki/DJB2 | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Carbon Black Evil PowerShell LSASS Query | |
# | |
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe | |
# | |
# Author: Jason Lang (@curi0usJack) | |
# | |
# Prereqs (Windows 10) | |
# Install bash on Win10 | |
# sudo apt-get install python-pip | |
# sudo pip install --upgrade requests |