Arno0x

BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL

1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"

================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:

multiplex3r

#!/usr/bin/env python3
from scapy.all import *
from py2neo import Graph, Node, Relationship

packets = rdpcap("<your_pcap_file>")
g = Graph(password="<your_neo4j_password>")


for packet in packets.sessions():
    pkt = packet.split()

X-C3LL

' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)


'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/


Private Type LARGE_INTEGER

oysstu

def crc16(data: bytes, poly=0x8408):
    '''
    CRC-16-CCITT Algorithm
    '''
    data = bytearray(data)
    crc = 0xFFFF
    for b in data:
        cur_byte = 0xFF & b
        for _ in range(0, 8):
            if (crc & 0x0001) ^ (cur_byte & 0x0001):

jtriley

#!/usr/bin/env python
import os
import shlex
import struct
import platform
import subprocess
 
 
def get_terminal_size():
    """ getTerminalSize()

bontchev

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from __future__ import print_function

import os
import sys

try:
    import olefile

infosecn1nja

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

s0md3v

#def _tokenize(code, comments, comment_strings, containers):
#    """
#    tokenizes sources code to find hardcoded strings
#    returns list of hardcoded strings
#    """
#    string = container = comment_end = ''
#    state = 'look'
#    skip = 0
#    comment = False
#    all_strings = []

mgraeber-rc

filter Get-AppPackageTriageInfo {
<#
.SYNOPSIS

A tool to perform rapid triage of decompressed application packages (.msix and .appx files).

.DESCRIPTION

Get-AppPackageTriageInfo parses key information from an uncompressed application package (.msix and .appx) without needing to first install it.

wdormann

If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
    Break
}

$outfile = "acltestfile"
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
Foreach ($path in $paths) {
    # This prints a table of ACLs
    # get-acl $path | %{ $_.Access  } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights