This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this. | |
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory | |
} | |
(proxy_upstream) { | |
# Enable access logging to STDOUT | |
log | |
# This is our list of naughty client User Agents that we don't want accessing our C2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address | |
# See the example config file to know what all of these options do https://github.com/slackhq/nebula/blob/master/examples/config.yml | |
pki: | |
ca: /etc/nebula/ca.crt | |
cert: /etc/nebula/host.crt | |
key: /etc/nebula/host.key | |
static_host_map: | |
"192.168.100.1": ["<LIGHTHOUSE_IP>:4242"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Crash the Windows Event Log Service remotely, needs Admin privs | |
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r | |
# | |
# Once the service crashes 3 times it will not restart for 24 hours | |
# | |
# https://github.com/limbenjamin/LogServiceCrash | |
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html | |
# | |
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from logger import capturer | |
from typing import Optional | |
from fastapi import FastAPI | |
app = FastAPI() | |
@app.get("/logs") | |
async def get_logs(event_name: Optional[str] = None): | |
if not event_name: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
ps_shellcode = '@(' | |
with open(sys.argv[1], 'rb') as shellcode: | |
byte = shellcode.read(1) | |
while byte != '': | |
ps_shellcode += '0x{}, '.format(byte.encode('hex')) | |
byte = shellcode.read(1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
''' | |
It has been tested with either py2 or py3. | |
Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK | |
or the memory mapped ring buffer. | |
BPF filter listed below is compiled form of "not port 22" | |
if you want to change it, do something like |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import { Hono } from "hono"; | |
const app = new Hono() | |
app.get('/', async (c) => { | |
const bad_user_agent_array = ['curl', 'httpie'] | |
const user_agent = c.req.header('User-Agent') | |
const ip = c.req.header("CF-Connecting-IP") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
using System; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
namespace SCCMDecryptPOC | |
{ | |
internal class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
'VBA Macro that detects hooks made by EDRs | |
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
Dim address As LongPtr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#[ | |
Requires the zippy library ("nimble install zippy") | |
References: | |
- https://github.com/byt3bl33d3r/SILENTTRINITY/blob/master/silenttrinity/core/teamserver/utils.py#L22 | |
- https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-CompressedDll.ps1 | |
]# | |
import zippy/[inflate, deflate] | |
import base64 |