Bart P bartblaze
awakecoding
/ Get-RdpLogonEvent.ps1
Created
September 7, 2022 01:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-RdpLogonEvent | |
| { | |
| [CmdletBinding()] | |
| param( | |
| [Int32] $Last = 10 | |
| ) | |
| $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{ | |
| LogName='Security' | |
| ProviderName='Microsoft-Windows-Security-Auditing' |
0xmachos
/ macOS-IR-Forensics.md
Last active
February 28, 2024 13:11
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
G0ldenGunSec
/ wmicLateralMovement.txt
Created
December 11, 2019 14:55
WMIC Service Modification for Lateral Movement
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| As always, only for use on networks you own or have permission to test against. | |
| Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely. | |
| If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well. | |
| The process involves a total of four commands, three of which can be combined on the command line to form one large block. | |
| Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager) | |
| wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName |
dmaasland
/ Invoke-Procdump.ps1
Created
November 27, 2019 12:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Source = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace ProcDump { | |
| public static class DbgHelp { | |
| [DllImport("Dbghelp.dll")] | |
| public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from scapy.all import * | |
| from py2neo import Graph, Node, Relationship | |
| packets = rdpcap("<your_pcap_file>") | |
| g = Graph(password="<your_neo4j_password>") | |
| for packet in packets.sessions(): | |
| pkt = packet.split() |
mint177
/ RTF obfuscation techniques.rtf
Last active
October 14, 2021 19:39
RTF obfuscation techniques
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {\rt- RTF SPECIFICATION SUCKS | |
| {\u0097}} | |
| {\uc2 \u0098}}} | |
| {\uc2 \u0099\'**}} | |
| {\uc2 \uc31682 \u0101} | |
| {\u0100}} | |
| {\uc-1 \u0102} | |
| {\object\objemb\objw-\objh- |
struppigel
/ dedosfuscator.py
Created
July 26, 2018 16:41
Deobfuscates Batch script in https://www.gdatasoftware.com/blog/2018/07/30924-g-data-analysis-discovers-dosfuscation-in-the-wild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import re | |
| if len(sys.argv) <= 1: exit() | |
| scriptpath = sys.argv[1] | |
| with open(scriptpath, 'r') as scriptfile: | |
| script = scriptfile.read().replace('^', '') | |
| p = re.compile('\([Ss][Ee][Tt][^=]+=([^&]+)&&') | |
| s = p.search(script) |
mgeeky
/ Various-Macro-Based-RCEs.md
Last active
January 14, 2024 16:43
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.
This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:
- Page substiution macro for luring user to click Enable Content
- The Unicorn Powershell based payload
skochinsky
/ rich.py
Created
April 13, 2017 13:03
MSVC PE Rich header parser with compiler version display
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html | |
| import sys | |
| import struct | |
| # I'm trying not to bury the magic number... | |
| CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD) | |
| RICH_TEXT = 'Rich' | |
| RICH_TEXT_LENGTH = len(RICH_TEXT) | |
| PE_START = 0x3c | |
| PE_FIELD_LENGTH = 4 |