Vesselin Bontchev bontchev

## fake_sandbox.ps1
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...

# Usage: .\fake_sandbox.ps1 -action {start,stop}

param([Parameter(Mandatory=$true)][string]$action)

$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
    "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",

## reclaimWindows10.ps1
###
###
### UPDATE: For Win 11, I recommend using this tool in place of this script:
### https://christitus.com/windows-tool/
### https://github.com/ChrisTitusTech/winutil
### https://www.youtube.com/watch?v=6UQZ5oQg8XA
### iwr -useb https://christitus.com/win | iex
###
###

## config-client.xml
<!--
   This is a Microsoft Sysmon configuration to be used on Windows workstations
   v0.2.1 December 2016
   Florian Roth (with the help and ideas of others)

   The focus of this configuration is
   - malware detection (execution)
   - malware detection (network connections)
   - exploit detection
   It is not focussed on

## remove_crw.cmd
@echo off
echo Uninstalling KB3075249 (telemetry for Win7/8.1)
start /w wusa.exe /uninstall /kb:3075249 /quiet /norestart
echo Uninstalling KB3080149 (telemetry for Win7/8.1)
start /w wusa.exe /uninstall /kb:3080149 /quiet /norestart
echo Uninstalling KB3021917 (telemetry for Win7)
start /w wusa.exe /uninstall /kb:3021917 /quiet /norestart
echo Uninstalling KB3022345 (telemetry)
start /w wusa.exe /uninstall /kb:3022345 /quiet /norestart
echo Uninstalling KB3068708 (telemetry)

## rol-ror.py
###########################################################################
# Rotating bits (tested with Python 2.7)

from __future__ import print_function   # PEP 3105

# max bits > 0 == width of the value in bits (e.g., int_16 -> 16)

# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \

## nginx-elasticsearch-proxy.conf
# Run me with:
#
#     $ nginx -p /path/to/this/file/ -c nginx.conf
#
# All requests are then routed to authenticated user's index, so
#
#    GET http://user:password@localhost/_search?q=*
#
# is rewritten to:
#

## gist:7360908

      
              1 file
            
          
              3613 forks
            
          
              1000 comments
            
          
              16545 stars
            
          
                rxaviers
                / gist:7360908
            
            
              Last active
              April 18, 2024 16:11
            
              
                Complete list of github markdown emoji markup
              
          
    People


 :bowtie:
😄 :smile:
😆 :laughing:


😊 :blush:
😃 :smiley:
☺️ :relaxed:


😏 :smirk:
😍 :heart_eyes:
😘 :kissing_heart:


😚 :kissing_closed_eyes:
😳 :flushed:
😌 :relieved:


😆 :satisfied:
😁 :grin:
😉 :wink:


😜 :stuck_out_tongue_winking_eye:
😝 :stuck_out_tongue_closed_eyes:
😀 :grinning:


😗 :kissing:
😙 :kissing_smiling_eyes:
😛 :stuck_out_tongue:
	# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
	# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
	# It's just a PoC and it's ugly as f*ck but hey, if it works...

	# Usage: .\fake_sandbox.ps1 -action {start,stop}

	param([Parameter(Mandatory=$true)][string]$action)

	$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
	"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
	###
	###
	### UPDATE: For Win 11, I recommend using this tool in place of this script:
	### https://christitus.com/windows-tool/
	### https://github.com/ChrisTitusTech/winutil
	### https://www.youtube.com/watch?v=6UQZ5oQg8XA
	### iwr -useb https://christitus.com/win \| iex
	###
	###
	<!--
	This is a Microsoft Sysmon configuration to be used on Windows workstations
	v0.2.1 December 2016
	Florian Roth (with the help and ideas of others)

	The focus of this configuration is
	- malware detection (execution)
	- malware detection (network connections)
	- exploit detection
	It is not focussed on
	@echo off
	echo Uninstalling KB3075249 (telemetry for Win7/8.1)
	start /w wusa.exe /uninstall /kb:3075249 /quiet /norestart
	echo Uninstalling KB3080149 (telemetry for Win7/8.1)
	start /w wusa.exe /uninstall /kb:3080149 /quiet /norestart
	echo Uninstalling KB3021917 (telemetry for Win7)
	start /w wusa.exe /uninstall /kb:3021917 /quiet /norestart
	echo Uninstalling KB3022345 (telemetry)
	start /w wusa.exe /uninstall /kb:3022345 /quiet /norestart
	echo Uninstalling KB3068708 (telemetry)
	###########################################################################
	# Rotating bits (tested with Python 2.7)

	from __future__ import print_function # PEP 3105

	# max bits > 0 == width of the value in bits (e.g., int_16 -> 16)

	# Rotate left: 0b1001 --> 0b0011
	rol = lambda val, r_bits, max_bits: \
	(val << r_bits%max_bits) & (2**max_bits-1) \| \
	# Run me with:
	#
	# $ nginx -p /path/to/this/file/ -c nginx.conf
	#
	# All requests are then routed to authenticated user's index, so
	#
	# GET http://user:password@localhost/_search?q=*
	#
	# is rewritten to:
	#
`:bowtie:`	😄 `:smile:`	😆 `:laughing:`
😊 `:blush:`	😃 `:smiley:`	☺️ `:relaxed:`
😏 `:smirk:`	😍 `:heart_eyes:`	😘 `:kissing_heart:`
😚 `:kissing_closed_eyes:`	😳 `:flushed:`	😌 `:relieved:`
😆 `:satisfied:`	😁 `:grin:`	😉 `:wink:`
😜 `:stuck_out_tongue_winking_eye:`	😝 `:stuck_out_tongue_closed_eyes:`	😀 `:grinning:`
😗 `:kissing:`	😙 `:kissing_smiling_eyes:`	😛 `:stuck_out_tongue:`