Skip to content

Instantly share code, notes, and snippets.

Jonathan Echavarria Und3rf10w

Block or report user

Report or block Und3rf10w

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Und3rf10w
Und3rf10w / HowToDetectTechniqueX_Demos.ps1
Created Sep 6, 2019 — forked from mattifestation/HowToDetectTechniqueX_Demos.ps1
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
View HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe
Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe
$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession
winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
View introspection-query.graphql
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
View reversed_ayyylmao_xss_rtlo
printf "\u202e<tpircs/>('oamlyyyya')trela.wodniw<tpircs>\u202e" | xclip -sel clip
@Und3rf10w
Und3rf10w / post_to_slacks.sh
Created Oct 8, 2018
For being a dick when you steal someone's slack token
View post_to_slacks.sh
#!/bin/bash
# Usage: slackpost <token> <channel> <message>
# Enter the name of your slack host here - the thing that appears in your URL:
# https://slackhost.slack.com/
slackhost=
# Stolen apikey
@Und3rf10w
Und3rf10w / 99-usb.rules
Created Sep 11, 2018
Udev Setup script to notify any changes to USB subsystem
View 99-usb.rules
# Udev rule in /etc/udev/rules.d/
ACTION=="add", RUN+="/usr/local/bin/udevnotify"
@Und3rf10w
Und3rf10w / radamsawrapper.sh
Last active Aug 28, 2018
Shell function to wrap radamsa against an application that takes one argument
View radamsawrapper.sh
while true; do
testcase=$(echo $2 | radamsa) # AAAA is the sample arguments you're passing to the application you're testing
echo -e "\n\n---TESTCASE---\n$testcase\n\n---OUTPUT---"
./$1 $testcase # tmp is the application to be fuzzed
test $? -gt 0 && break # if the fuzzed application returns anything that's not a 0, then break out of the loop
echo -e "\n---ENDOUTPUT---\n"
echo -e "---ENDCASE---\n"
done
echo -e "\n\n\e[0;31mAPPLICATION CRASHED\n\e[0mHexdump of input below:\n\n"
printf $testcase | hexdump -Cv | tee crash.hexdump # return a hexdump of the crashy input
View make-ramdisk.sh
sudo mount -t tmpfs -o size=1024m tmpfs ~/ramdisk/
@Und3rf10w
Und3rf10w / generate_nyancair_png.py
Last active Feb 5, 2018
Generates and tests a nyancat png with an embedded eicar string
View generate_nyancair_png.py
from PIL import Image
from cStringIO import StringIO
import requests
import imageio
import base64
import zlib
import PIL
import re
def encode(data, imageio):
@Und3rf10w
Und3rf10w / nyancair_gif_test.py
Last active Jan 31, 2018
Experiment at applying LSB stego to gifs
View nyancair_gif_test.py
from PIL import Image
from cStringIO import StringIO
import requests
import imageio
import base64
import re
def GetGifPixel(gif):
frame = Image.open(gif)
nframes = 0
View Get-Doppelgangers.ps1
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
You can’t perform that action at this time.