Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
357 followers · 86 following
View GitHub Profile
@dru1d-foofus
dru1d-foofus / README.md
Last active November 30, 2023 04:55
CVE-2023-41444 - IREC.sys Vulnerability

CVE-2023-41444 - Binalyze IREC.sys Vulnerable Driver

Credits

Mike Alfaro (@_mmpte_software) and Tyler Booth (@tyler_dru1d)

Description

An issue in Binalyze IREC.sys v.3.11.0 and before allows a local attacker to execute arbitrary code and escalate privileges due to an improper DACL being applied to the device the driver creates.

Vulnerability Type

Incorrect Acess Control

@breakersall
breakersall / Out of band interaction domains
Last active October 29, 2022 10:14
External service interaction domains
interact.sh
oast.pro
oast.live
oast.site
oast.online
oast.fun
oast.me
burpcollaborator.net
oastify.com
canarytokens.com
@oukeu
oukeu / GrantedAccess.spl
Last active October 29, 2021 13:13
Enumerate the human readable permission listed in Sysmon EID 10s.
```
Author: @0x1FFFFF
Date: 1 September, 2021
Goal: Enumerate the human readable permission listed in Sysmon EID 10s.
Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table.
```
$Your_Sysmon_Logic_Here$ EventCode=10
| stats count by GrantedAccess
@pmichaudrc
pmichaudrc / Invoke-ChainReaction.ps1
Created July 13, 2021 13:31
PowerShell script that combines the original Chain Reactions from Atomic Red Team
function Invoke-ChainReaction {
<#
.SYNOPSIS
A single script that combines the original Chain Reactions from the Atomic Red Team project
.PARAMETER Reaction
Specifies the ChainReaction to execute.
@mgraeber-rc
mgraeber-rc / SimulateInternetZoneTest.ps1
Created May 28, 2021 16:57
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
Add-Type -OutputAssembly hello.exe -TypeDefinition @'
using System;
public class Hello {
public static void Main(string[] Args) {
System.Console.WriteLine("Hello, world!");
System.Console.Read();
}
}
'@
@mgraeber-rc
mgraeber-rc / log_nothing.xml
Created March 16, 2021 14:43
A sysmon configuration that defaults to logging nothing. I use this as a baseline configuration for testing purposes where I can selectively turn on log sources by changing "include" to "exclude"
<Sysmon schemaversion="4.50">
<HashAlgorithms>md5,sha256</HashAlgorithms>
<EventFiltering>
<!--Event ID 1: Process creation-->
<ProcessCreate onmatch="include"></ProcessCreate>
<!--Event ID 2: A process changed a file creation time-->
<FileCreateTime onmatch="include"></FileCreateTime>
<!--Event ID 3: Network connection-->
<NetworkConnect onmatch="include"></NetworkConnect>
<!--Event ID 5: Process terminated-->
@k4nfr3
k4nfr3 / ioc_vulnerable_drivers.csv
Last active March 28, 2024 07:43
IOC vulnerable drivers
We can make this file beautiful and searchable if this error is corrected: It looks like row 9 should actually have 4 columns, instead of 2. in line 8.
SHA256,Name,Signer,Description
04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys
@leftp
leftp / gist:8b9c8e0a2ad199da5e763343718233f8
Created May 5, 2020 08:14 — forked from teixeira0xfffff/gist:c5333504841978a359c540f837ab0a18
MSBuild - Property functions
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@MHaggis
MHaggis / Find-Assemblies.ps1
Created February 14, 2020 04:51 — forked from TheWover/Find-Assemblies.ps1
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
Param([parameter(Mandatory=$true,
HelpMessage="Directory to search for .NET Assemblies in.")]
$Directory,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
[parameter(Mandatory=$false,
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active March 10, 2024 09:15
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" &lt;. Often used by Emotet (UTF-16)