Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
The script generates and prints a graph of all function-call flows that start in exported functions and end | |
in the function being pointed at in IDA. | |
This functionality is useful when you need to trigger a function in a DLL and wish to know which exported function | |
leads to it. | |
""" | |
import idaapi | |
import idautils | |
import idc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ################################################################################ | |
# IMPORTANT NOTE | |
# The most recent version of this POC rule can now be found in the main repository | |
# https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
# ################################################################################ | |
# _____ __ __ ___ __ | |
# / ___/__ ___/ / / |/ /__ ___/ /__ | |
# / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
# \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
# / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
SilkService Config | |
Author: Roberto Rodriguez (@Cyb3rWard0g) | |
License: GPL-3.0 | |
Version: 0.0.1 | |
References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml | |
--> | |
<SilkServiceConfig> | |
<!-- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
WARNING: | |
the newest version of this rule is now hosted here: | |
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
*/ | |
/* | |
_____ __ __ ___ __ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Linux | |
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n | |
macOS | |
(gstrings -a -td "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; gstrings -a -td -el "$@" | gsed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-ExecutionPolicy Unrestricted; | |
iex ((New-Object System.Net.WebClient).DownloadString('http://boxstarter.org/bootstrapper.ps1')); | |
get-boxstarter -Force; | |
Install-BoxstarterPackage -PackageName 'https://gist.githubusercontent.com/OALabs/afb619ce8778302c324373378abbaef5/raw/4006323180791f464ec0a8a838c7b681f42d238c/oalabs_x86vm.ps1'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Script author: Matt Graeber (@mattifestation) | |
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
# Do your malicious things here that would be logged by AMSI | |
# logman stop AMSITrace -ets | |
$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
$OSArch = $OSArchProperty.OSArchitecture | |
$OSPointerSize = 32 | |
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Code from best solution in page below: | |
# https://help.zoho.com/portal/community/topic/zoho-mail-servers-reject-python-smtp-module-communications | |
import smtplib | |
from email.mime.text import MIMEText | |
from email.header import Header | |
from email.utils import formataddr | |
# Define to/from | |
sender = 'sender@example.com' |
Matches: ("opt-out" OR unsubscribe OR "viewing the newsletter" OR "privacy policy" OR enews OR "edit your preferences" OR "email notifications" OR "update profile" OR smartunsubscribe OR secureunsubscribe OR yahoogroups OR "manage your account" OR "group-digests") Do this: Skip Inbox, Apply label "Work/Newsletters"
Matches: (subject:("invitation" OR "accepted" OR "rejected" OR "updated" OR "canceled event" OR "declined") when where calendar who organizer) Do this: Skip Inbox, Apply label "GTD/Follow up"