Skip to content

Instantly share code, notes, and snippets.

View bigbrobro's full-sized avatar

bigbrobro

9 followers · 3 following
View GitHub Profile
@bigbrobro
bigbrobro / RMM-detection.md
Created April 23, 2023 09:40 — forked from brokensound77/RMM-detection.md
Detection Engineering: RMM analysis

Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

  • if the software is not used in the envrionment
    • could it be legitimate by a random empoyee?
    • is it an attacker BYOL
    • even so, all occurrences could probably be considered suspicious
  • if it is used in the environment
    • is every use of it legitimate? Probably not
  • this also creates significant living off the land (LOL) opportunity
@bigbrobro
bigbrobro / d3d10_1-dll-proxying.cpp
Created May 30, 2022 14:15 — forked from tamir-white-hat/d3d10_1-dll-proxying.cpp
d3d10_1.dll DLL proxying
#pragma comment(linker,"/export:D3D10CompileEffectFromMemory=d3d10_1_orig.D3D10CompileEffectFromMemory,@1")
#pragma comment(linker,"/export:D3D10CompileShader=d3d10_1_orig.D3D10CompileShader,@2")
#pragma comment(linker,"/export:D3D10CreateBlob=d3d10_1_orig.D3D10CreateBlob,@3")
#pragma comment(linker,"/export:D3D10CreateDevice1=d3d10_1_orig.D3D10CreateDevice1,@4")
#pragma comment(linker,"/export:D3D10CreateDeviceAndSwapChain1=d3d10_1_orig.D3D10CreateDeviceAndSwapChain1,@5")
#pragma comment(linker,"/export:D3D10CreateEffectFromMemory=d3d10_1_orig.D3D10CreateEffectFromMemory,@6")
#pragma comment(linker,"/export:D3D10CreateEffectPoolFromMemory=d3d10_1_orig.D3D10CreateEffectPoolFromMemory,@7")
#pragma comment(linker,"/export:D3D10CreateStateBlock=d3d10_1_orig.D3D10CreateStateBlock,@8")
#pragma comment(linker,"/export:D3D10DisassembleEffect=d3d10_1_orig.D3D10DisassembleEffect,@9")
#pragma comment(linker,"/export:D3D10DisassembleShader=d3d10_1_orig.D3D10DisassembleShader,@10")
@bigbrobro
bigbrobro / kernelcallback.cs
Created January 17, 2022 10:19
using System;
using System.Runtime.InteropServices;
using System.Text;
namespace SendMessageKernelCallback
{
/*References:
* 1. https://t0rchwo0d.github.io/windows/Windows-Process-Injection-Technique-KernelCallbackTable/
* 2. https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/
*/
@bigbrobro
bigbrobro / 20211210-TLP-WHITE_LOG4J.md
Created December 15, 2021 11:21 — forked from SwitHak/20211210-TLP-WHITE_LOG4J.md
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-15 0016 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

@bigbrobro
bigbrobro / ClippyShellcodeInject.cs
Created November 26, 2021 10:03
Clipboard Shellcode Injection
// Using the clipboard as your code cave.
// Generate your shellcode with msfvenom or whatever
// Example: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o <outputfile.bin>
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs
using System;
using System.IO;
using System.Runtime.InteropServices;
namespace ClippySCInject
@bigbrobro
bigbrobro / pidspoofDinvoke.cs
Created August 17, 2021 02:34 — forked from jfmaes/pidspoofDinvoke.cs
PIDSpoof-DInvoke-Dev-Nuget-NoDynamicAPIIInvoke
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace DInvoke_PIDSpoof_DevNuget
{
class Program
{
static void Main(string[] args)
@bigbrobro
bigbrobro / SQL Query for Process Reimaging
Created August 13, 2021 17:03 — forked from jsecurity101/SQL Query for Process Reimaging
Query ran to detect Process Reimaging behavior
SELECT
a.computer_name,
a.OriginalFileName,
a.LogonId,
b.ProcessId,
c.TargetFilename
FROM processreimaging a
JOIN processreimaging b
ON a.ProcessGuid = b.ProcessGuid
AND b.channel = "Microsoft-Windows-Sysmon/Operational"
@bigbrobro
bigbrobro / Various-Macro-Based-RCEs.md
Created August 12, 2021 16:53 — forked from mgeeky/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@bigbrobro
bigbrobro / DInjectQueuerAPC.cs
Last active August 17, 2021 02:34 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
/// csc.exe injection.cs GadgetToJScript.exe –b –a injection.exe –w hta
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
@bigbrobro
bigbrobro / Brim and NetworkX First steps Notebook Final Advanced (3).ipynb
Created February 26, 2021 01:52 — forked from orochford/Brim and NetworkX First steps Notebook Final Advanced (3).ipynb
Brim and NetworkX First steps Notebook Final Advanced
Sorry, this is too big to display.