Skip to content

Instantly share code, notes, and snippets.

🎵
Listening to meowzek

Dan danzek

🎵
Listening to meowzek
Block or report user

Report or block danzek

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
@Neo23x0
Neo23x0 / sysmon_suspicious_keyboard_layout_load.yml
Last active Nov 9, 2019
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
View sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
@mattifestation
mattifestation / ExpandDefenderSig.ps1
Created Mar 28, 2019
Decompresses Windows Defender AV signatures for exploration purposes
View ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS
Decompresses a Windows Defender AV signature database (.VDM file).
.DESCRIPTION
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
View Invoke-AccessXSLT.ps1
<#
Lateral Movement Via MSACCESS TransformXML
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
#>
function Invoke-AccessXSLT {
<#
@mattifestation
mattifestation / SimpleTCGLogParser.ps1
Last active Apr 14, 2019
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
View SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName
$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)
$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex
@sf-jonstewart
sf-jonstewart / prelease201902-shell_items.py
Last active Feb 21, 2019
Stroz Friedberg developer Shane McCulley rewrote our Python scripts for parsing Windows shell items using Kaitai. We'll contribute the definitions to Kaitai as open source. shell_items.py shows how to construct a parser on top of the Kaitai-generated parsers. This is an unsupported pre-release. Feedback welcome!
View prelease201902-shell_items.py
import datetime
from typing import AnyStr, Generator, Optional, Tuple, Type, Union
import uuid
from kaitaistruct import BytesIO, KaitaiStream
import known_uuids
import logging
import ShellItemList
@JohnLaTwC
JohnLaTwC / star basic macro malware.txt
Created Feb 7, 2019
StarBasic macro Malware (Uploaded by @JohnLaTwC)
View star basic macro malware.txt
## Uploaded by @JohnLaTwC
25b4214da1189fd30d3de7c538aa8b606f22c79e50444e5733fb1c6d23d71fbe.unzip\Basic\Standard\Module1.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
Sub OnLoad
Dim os as string
View print_ts_la.py
#!/usr/bin/env python3
import os
from time import sleep
FILE_PATH = 'ts.txt'
def get_atime_1():
result = os.stat(FILE_PATH, follow_symlinks = False)
return result.st_atime
View abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
namespace ComAbandonment
{
public class ComAbandonment
{
@BankSecurity
BankSecurity / Simple_Rev_Shell.cs
Last active Nov 11, 2019
C# Simple Reverse Shell Code
View Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
You can’t perform that action at this time.