Skip to content

Instantly share code, notes, and snippets.

mattifestation / EnableAMSILogging.ps1
Last active Aug 17, 2021
Enables AMSI logging to the AMSI/Operational event log
View EnableAMSILogging.ps1
$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"
New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41
rootkea / spectre.c
Created Jan 4, 2018
PoC from Spectre Attacks: Exploiting Speculative Execution (
View spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#include <x86intrin.h> /* for rdtscp and clflush */
View sqlmap tamper scripts
# All scripts
# General scripts
# Microsoft access
gfoss /
Created Aug 3, 2017
Simple Masscan + Hydra wrapper used to perform automated scans by group (organization, unit, team, etc) and generate a report on the results.
# @heinzarelli
# greg . foss [at] logrhythm . com
# v0.1 - May 2017
function usage {
echo ""
gfoss / Extract-WiFi-Creds.ps1
Last active Mar 29, 2021
Simple script to extract locally-stored Wi-Fi Credentials
View Extract-WiFi-Creds.ps1
# Extract Wi-Fi Credentials #
# greg . foss @ owasp . org #
# v0.1 -- July, 2017 #
# Licensed under the MIT License

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

leoloobeek / EventVwrBypass.cs
Last active Mar 6, 2021
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
View EventVwrBypass.cs
using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using Microsoft.Win32;
InstallUtil.exe C# version of Event Viewer UAC bypass
jaredcatkinson / Get-InjectedThread.ps1
Last active Sep 1, 2021
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
Looks for threads that were created as a result of code injection.
# Attack created by Mubix. For more information see:
# Modified for Nethunter by Binkybear
# ================== #
# Check for root
# ================== #
MichaelPote / himawari.ps1
Created Feb 3, 2016
Windows Powershell Script to download the latest image from the Himawari-8 satelite, combine the tiles into a single image, convert to jpg and then set as the desktop background.
View himawari.ps1
# Himawari-8 Downloader
# This script will scrape the latest image from the Himawari-8 satellite, recombining the tiled image,
# converting it to a JPG which is saved in My Pictures\Himawari\ and then set as the desktop background.