dalmoz
/ CheckAngelfire.ps1
Last active
September 3, 2017 08:33
A one-liner powershell script for testing if your station is infected by the CIA's Angelfire. Path known from: https://wikileaks.org/vault7/document/Angelfire-2_0-UserGuide/Angelfire-2_0-UserGuide.pdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if ((Get-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Windows').GetValue('SystemLookup')) {Write-Host "Angelfire found!"} else {Write-Host "Nothing"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| development: | |
| adapter: mysql2 | |
| encoding: utf8 | |
| database: my_database | |
| username: root | |
| password: | |
| apt: | |
| - somepackage | |
| - anotherpackage |
aronwoost
/ gist:1000402
Created
May 31, 2011 12:11
Exclude private ip addresses from google analytics tracking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (function(){ | |
| var re = /(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|localhost/; | |
| if(re.test(window.location.hostname)) return; | |
| var _gaq=[['_setAccount','UA-23156659-1'],['_trackPageview'],['_trackPageLoadTime']]; | |
| (function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];g.async=1; | |
| g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js'; | |
| s.parentNode.insertBefore(g,s)}(document,'script')); | |
| })(); |
msuhanov
/ print_ts_la.py
Created
December 12, 2018 23:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import os | |
| from time import sleep | |
| FILE_PATH = 'ts.txt' | |
| def get_atime_1(): | |
| result = os.stat(FILE_PATH, follow_symlinks = False) | |
| return result.st_atime |
JohnLaTwC
/ star basic macro malware.txt
Created
February 7, 2019 17:22
StarBasic macro Malware (Uploaded by @JohnLaTwC)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| 25b4214da1189fd30d3de7c538aa8b606f22c79e50444e5733fb1c6d23d71fbe.unzip\Basic\Standard\Module1.xml | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> | |
| <script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC ***** | |
| Sub OnLoad | |
| Dim os as string |
sf-jonstewart
/ prelease201902-shell_items.py
Last active
February 21, 2019 01:35
Stroz Friedberg developer Shane McCulley rewrote our Python scripts for parsing Windows shell items using Kaitai. We'll contribute the definitions to Kaitai as open source. shell_items.py shows how to construct a parser on top of the Kaitai-generated parsers. This is an unsupported pre-release. Feedback welcome!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import datetime | |
| from typing import AnyStr, Generator, Optional, Tuple, Type, Union | |
| import uuid | |
| from kaitaistruct import BytesIO, KaitaiStream | |
| import known_uuids | |
| import logging | |
| import ShellItemList |
mattifestation
/ SimpleTCGLogParser.ps1
Last active
April 14, 2019 01:43
If you have the HgsDiagnostics PowerShell module, then you can parse TCG logs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module HgsDiagnostics | |
| $GetHgsTrace = Get-Command Get-HgsTrace | |
| $RemoteAttestationCoreReference = $GetHgsTrace.ImplementingType.Assembly.GetReferencedAssemblies() | Where-Object { $_.Name -eq 'Microsoft.Windows.RemoteAttestation.Core' } | |
| Add-Type -AssemblyName $RemoteAttestationCoreReference.FullName | |
| $MostRecentTCGLog = Get-ChildItem C:\Windows\Logs\MeasuredBoot | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName | |
| $LogBytes = [IO.File]::ReadAllBytes($MostRecentTCGLog) | |
| $ParsedTCGLog = [Microsoft.Windows.RemoteAttestation.Core.TcgEventLog]::Parse($LogBytes) | |
| $ParsedTCGLog.TcgData.Children | Sort-Object -Property PcrIndex | Group-Object -Property PcrIndex |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Registers | |
| Caller-saved Callee-saved | |
| RAX RCX RSP RDI RSI RDX R8 R9 R10 R11 RBP RBX R12 R13 R14 R15 | |
| Args: RDI, RSI, RDX, RCX, R8, R9, XMM0–7 | |
| Return: RAX | |
| Simple Compile | |
| yasm -f macho64 foo.asm && gcc foo.c foo.o -Wall -Wextra -g -O1 |
mkorman90
/ create_exe_for_each_dll_ordinal.py
Last active
July 11, 2020 12:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import pefile | |
| filename = '/home/martin/some_binary.dll' | |
| base = os.path.basename(filename) | |
| pe = pefile.PE(filename) | |
| #Remove is_dll flag | |
| pe.FILE_HEADER.Characteristics = pe.FILE_HEADER.Characteristics - 0x2000 |
Neo23x0
/ sysmon_suspicious_keyboard_layout_load.yml
Last active
September 4, 2020 15:41
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Suspicious Keyboard Layout Load | |
| description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
| references: | |
| - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
| author: Florian Roth | |
| date: 2019/10/12 | |
| logsource: | |
| product: windows | |
| service: sysmon | |
| definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' |
OlderNewer