Skip to content

Instantly share code, notes, and snippets.

View droberson's full-sized avatar

Daniel Roberson droberson

243 followers · 195 following
View GitHub Profile
@gwillem
gwillem / _cronrat.sh
Last active July 11, 2022 14:04
This is the decoded payload from the CRON loader. Full analysis here: https://sansec.io/research/cronrat
set -eEu
set -o pipefail
trap 'echo "L$LINENO"; O70; exit -1' ERR
O54=4
function O70()
{
if [[ ! -z "${O57+x}" ]]; then
if [[ -f "${O57}" ]]; then
rm -f "${O57}"
fi
@magisterquis
magisterquis / bsidesdc2019.md
Last active April 10, 2022 17:03 — forked from CS-5/bsidesdc2019.md
@OsandaMalith
OsandaMalith / Unload_Minifilter.c
Last active August 13, 2021 12:39
Unloading a minifilter driver by calling the FilterUnload which is the Win32 equivalent of FltUnloadFilter. It will call the minifilter's FilterUnloadCallback (PFLT_FILTER_UNLOAD_CALLBACK) routine.
#include "stdafx.h"
#include <Windows.h>
#include <fltuser.h>
#pragma comment(lib,"FltLib.lib")
/*
Author: Osanda Malith Jayathissa (@OsandaMalith)
Website: https://osandamalith.com
Description: Unloading a minifilter driver by calling the FilterUnload which is the Win32 equivalent of FltUnloadFilter.
@stevecheckoway
stevecheckoway / notes.md
Created May 29, 2019 18:30
Installing Ghidra Server on Ubuntu 18.04.2 LTS

Installation on Ubuntu 18.04.2 LTS

  1. Install the jdk.

    $ sudo apt update
$ sudo apt install default-jdk

  2. Create a new user.

@kirk-sayre-work
kirk-sayre-work / gist:6ebdee9eff31ba8bd6e35ec3f9efd726
Created May 15, 2019 19:17
Yara Rule to Detect Office Files Modified to Hide VBA Modules in Office VBA IDE.
rule vba_hidden_from_editor {
  strings:
    $header_office = { D0 CF 11 E0 }
    $has_macros = "\x0aDocument="
    $s1 = /\x0aDocument=.{3,1000}\x0d?\x0a\w{4,30}=(\{|"|[a-zA-Z])/
    $s2 = /\x0aDocument=This(Docume|Displa)[a-zA-Z](\x00.){10,}/
  condition:
@Neo23x0
Neo23x0 / iddqd.yar
Last active January 18, 2024 13:04
IDDQD - Godmode YARA Rule
/*
WARNING:
the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/
/*
_____ __ __ ___ __
@flerpadoo
flerpadoo / butchered-delete-tweets.py
Last active August 19, 2019 22:52
I'm a bad person. I should have just fixed the script in the repo of the original author, but opted to steal the TweetDestroyer module instead and wrap it with updated code to support the twitter json (not csv) - thanks @koenrh !
from datetime import datetime
import json, os, twitter, io, time
string_input_with_date = "01/01/2018"
file_name = 'tweet.js'
TWITTER_CONSUMER_KEY=""
TWITTER_CONSUMER_SECRET=""
TWITTER_ACCESS_TOKEN=""
TWITTER_ACCESS_TOKEN_SECRET=""
@lizthegrey
lizthegrey / attributes.rb
Last active February 24, 2024 14:11
Hardening SSH with 2fa
default['sshd']['sshd_config']['AuthenticationMethods'] = 'publickey,keyboard-interactive:pam'
default['sshd']['sshd_config']['ChallengeResponseAuthentication'] = 'yes'
default['sshd']['sshd_config']['PasswordAuthentication'] = 'no'
@MrThreat
MrThreat / findbadlinkers.yar
Created September 17, 2018 05:25
Bsides malware yara rule APT lnk files.
rule lnkfileoverRFC
{
strings:
$header = {4c00 0000 0114 0200 0000} //lnk file header
$command = "C:\\Windows\\System32\\cmd.exe" fullword ascii //cmd is precursor to findstr
$command2 = {2F 00 63 00 20 00 66 00 69 00 6E 00 64 00 73 00 74 00 72} //findstr in hex
$base64 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD" ascii //some base64 filler, needed to work with routine
$cert = "l -decode" ascii //base64 decoder
condition:
filesize > 15KB and ($header at 0) and $command and $command2 and $cert and $base64
@Arignir
Arignir / README.md
Last active December 19, 2018 22:55
HoleyBeep exploit

HoleyBeep

This is an exploit for HoleyBeep.

To use it, place any command you want root to execute in /tmp/x.

$ cat /tmp/x
echo PWNED $(whoami)