Skip to content

Instantly share code, notes, and snippets.

Listening to meowzek

Dan danzek

Listening to meowzek
View GitHub Profile
View Kill-Ransomware.ps1
# Ransomware Killer v0.1 by Thomas Patzke <>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID
Neo23x0 / sysmon_suspicious_keyboard_layout_load.yml
Last active Sep 4, 2020
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
View sysmon_suspicious_keyboard_layout_load.yml
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
author: Florian Roth
date: 2019/10/12
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see'
mattifestation / ExpandDefenderSig.ps1
Created Mar 28, 2019
Decompresses Windows Defender AV signatures for exploration purposes
View ExpandDefenderSig.ps1
filter Expand-DefenderAVSignatureDB {
Decompresses a Windows Defender AV signature database (.VDM file).
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project ( Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
View Invoke-AccessXSLT.ps1
Lateral Movement Via MSACCESS TransformXML
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
function Invoke-AccessXSLT {
mattifestation / SimpleTCGLogParser.ps1
Last active Apr 14, 2019
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
View SimpleTCGLogParser.ps1
Import-Module HgsDiagnostics
$GetHgsTrace = Get-Command Get-HgsTrace
$RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' }
Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName
$MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName
$LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog)
$ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes)
$ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex
sf-jonstewart /
Last active Feb 21, 2019
Stroz Friedberg developer Shane McCulley rewrote our Python scripts for parsing Windows shell items using Kaitai. We'll contribute the definitions to Kaitai as open source. shows how to construct a parser on top of the Kaitai-generated parsers. This is an unsupported pre-release. Feedback welcome!
import datetime
from typing import AnyStr, Generator, Optional, Tuple, Type, Union
import uuid
from kaitaistruct import BytesIO, KaitaiStream
import known_uuids
import logging
import ShellItemList
JohnLaTwC / star basic macro malware.txt
Created Feb 7, 2019
StarBasic macro Malware (Uploaded by @JohnLaTwC)
View star basic macro malware.txt
## Uploaded by @JohnLaTwC
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-// OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
Sub OnLoad
Dim os as string
#!/usr/bin/env python3
import os
from time import sleep
FILE_PATH = 'ts.txt'
def get_atime_1():
result = os.stat(FILE_PATH, follow_symlinks = False)
return result.st_atime
View abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
namespace ComAbandonment
public class ComAbandonment
BankSecurity / Simple_Rev_Shell.cs
Last active Aug 27, 2020
C# Simple Reverse Shell Code
View Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
You can’t perform that action at this time.