CaledoniaProject
CaledoniaProject
/ UEFISecDatabaseParser.ps1
Created
May 9, 2018 00:54
— forked from mattifestation/UEFISecDatabaseParser.ps1
Parses signature data from the db and dbx UEFI variables.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-UEFIDatabaseSigner { | |
| <# | |
| .SYNOPSIS | |
| Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders. | |
| .DESCRIPTION | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause |
CaledoniaProject
/ yolo.c
Created
May 18, 2018 05:16
— forked from saelo/yolo.c
Exploit for IPWnKit: a macOS IOKit exploit challenge from Defcon Qualifier CTF 2018
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <pthread.h> | |
| #include <sys/mman.h> | |
| #include <IOKit/IOKitLib.h> | |
| #include <CoreFoundation/CFPropertyList.h> | |
| const char* kMyDriversIOKitClassName = "io_oooverflow_IPwnKit"; |
CaledoniaProject
/ wldp_interesting_rundll32_invocations.txt
Created
June 3, 2018 14:31
— forked from mattifestation/wldp_interesting_rundll32_invocations.txt
DLLs and export functions that wldp.dll finds interesting when invoked with rundll32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| StorageUsage.dll,GetStorageUsageInfo | |
| acmigration.dll,ApplyMigrationShims | |
| acproxy.DLL,PerformAutochkOperations | |
| ppioobe.dll,setupcalendaraccountforuser | |
| edgehtml.dll,#125 | |
| edgehtml.dll,#133 | |
| davclnt.dll,davsetcookie | |
| appxdeploymentextensions.onecore.dll,shellrefresh | |
| pla.dll,plahost | |
| aeinv.dll,updatesoftwareinventory |
CaledoniaProject
/ check_hashes.py
Created
July 6, 2018 03:08
— forked from bandrel/check_hashes.py
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| #Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller | |
| #Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH::: | |
| # ./check_hashes.py <hash_dump> | |
| import sys | |
| hashes = {} | |
| with open(sys.argv[1]) as infile: |
CaledoniaProject
/ SysmonEventGUIDParser.ps1
Created
July 9, 2018 00:03
— forked from mattifestation/SysmonEventGUIDParser.ps1
Extracts fields from sysmon process and logon GUIDs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| $Epoch = Get-Date '01/01/1970' | |
| # Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/ | |
| $StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName | |
| $TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone) | |
| # Parse out all the LogonGUID fields for sysmon ProcessCreate events | |
| Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object { |
CaledoniaProject
/ bucket-disclose.sh
Created
July 12, 2018 09:41
— forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
CaledoniaProject
/ auto_shellcode_hashes.py
Created
July 16, 2018 10:50
— forked from williballenthin/auto_shellcode_hashes.py
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/uxzaceQ20DFYLJ0APL8sDuh0U
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
CaledoniaProject
/ GetPEFeature.ps1
Created
July 16, 2018 12:04
— forked from mattifestation/GetPEFeature.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Get-PEFeature { | |
| <# | |
| .SYNOPSIS | |
| Retrieves key features from PE files that can be used to build detections. | |
| .DESCRIPTION | |
| Get-PEFeature extracts key features of PE files that are relevant to building detections. |
CaledoniaProject
/ djb2.go
Created
July 22, 2018 14:37
— forked from lmas/djb2.go
djb2, a non-cryptographic hash function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package djb2 | |
| // For when you ever need to implement a dictionary hash function, | |
| // that's good enough, simple and fast. | |
| // | |
| // WARNING: | |
| // Not cryptographicly secure! | |
| // | |
| // Source: https://en.wikipedia.org/wiki/DJB2 | |
| // |
CaledoniaProject
/ cbapi-ps-lsass-loop.py
Created
August 1, 2018 11:30
— forked from curi0usJack/cbapi-ps-lsass-loop.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Carbon Black Evil PowerShell LSASS Query | |
| # | |
| # Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe | |
| # | |
| # Author: Jason Lang (@curi0usJack) | |
| # | |
| # Prereqs (Windows 10) | |
| # Install bash on Win10 | |
| # sudo apt-get install python-pip | |
| # sudo pip install --upgrade requests |