Skip to content

Instantly share code, notes, and snippets.

View CaledoniaProject's full-sized avatar

CaledoniaProject

View GitHub Profile
@CaledoniaProject
CaledoniaProject / UEFISecDatabaseParser.ps1
Created May 9, 2018 00:54 — forked from mattifestation/UEFISecDatabaseParser.ps1
Parses signature data from the db and dbx UEFI variables.
function Get-UEFIDatabaseSigner {
<#
.SYNOPSIS
Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders.
.DESCRIPTION
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
@CaledoniaProject
CaledoniaProject / yolo.c
Created May 18, 2018 05:16 — forked from saelo/yolo.c
Exploit for IPWnKit: a macOS IOKit exploit challenge from Defcon Qualifier CTF 2018
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <sys/mman.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CFPropertyList.h>
const char* kMyDriversIOKitClassName = "io_oooverflow_IPwnKit";
@CaledoniaProject
CaledoniaProject / wldp_interesting_rundll32_invocations.txt
Created June 3, 2018 14:31 — forked from mattifestation/wldp_interesting_rundll32_invocations.txt
DLLs and export functions that wldp.dll finds interesting when invoked with rundll32
StorageUsage.dll,GetStorageUsageInfo
acmigration.dll,ApplyMigrationShims
acproxy.DLL,PerformAutochkOperations
ppioobe.dll,setupcalendaraccountforuser
edgehtml.dll,#125
edgehtml.dll,#133
davclnt.dll,davsetcookie
appxdeploymentextensions.onecore.dll,shellrefresh
pla.dll,plahost
aeinv.dll,updatesoftwareinventory
@CaledoniaProject
CaledoniaProject / check_hashes.py
Created July 6, 2018 03:08 — forked from bandrel/check_hashes.py
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#!/usr/bin/env python3
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>
import sys
hashes = {}
with open(sys.argv[1]) as infile:
@CaledoniaProject
CaledoniaProject / SysmonEventGUIDParser.ps1
Created July 9, 2018 00:03 — forked from mattifestation/SysmonEventGUIDParser.ps1
Extracts fields from sysmon process and logon GUIDs
# Author: Matthew Graeber (@mattifestation)
$Epoch = Get-Date '01/01/1970'
# Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/
$StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName
$TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone)
# Parse out all the LogonGUID fields for sysmon ProcessCreate events
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object {
@CaledoniaProject
CaledoniaProject / bucket-disclose.sh
Created July 12, 2018 09:41 — forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
#!/bin/bash
# Written by Frans Rosén (twitter.com/fransrosen)
_debug="$2" #turn on debug
_timeout="20"
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key
_aws_key="AKIA..."
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3"
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"
@CaledoniaProject
CaledoniaProject / auto_shellcode_hashes.py
Created July 16, 2018 10:50 — forked from williballenthin/auto_shellcode_hashes.py
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/uxzaceQ20DFYLJ0APL8sDuh0U
import os
import sys
import logging
import pefile
import ucutils
import unicorn
import capstone
import argparse
filter Get-PEFeature {
<#
.SYNOPSIS
Retrieves key features from PE files that can be used to build detections.
.DESCRIPTION
Get-PEFeature extracts key features of PE files that are relevant to building detections.
@CaledoniaProject
CaledoniaProject / djb2.go
Created July 22, 2018 14:37 — forked from lmas/djb2.go
djb2, a non-cryptographic hash function
package djb2
// For when you ever need to implement a dictionary hash function,
// that's good enough, simple and fast.
//
// WARNING:
// Not cryptographicly secure!
//
// Source: https://en.wikipedia.org/wiki/DJB2
//
# Carbon Black Evil PowerShell LSASS Query
#
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
#
# Author: Jason Lang (@curi0usJack)
#
# Prereqs (Windows 10)
# Install bash on Win10
# sudo apt-get install python-pip
# sudo pip install --upgrade requests