testanull
/ SharePwn_public.py
Created
December 15, 2023 07:31
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
adamsvoboda
/ gist:9ac52548d3d81f3185e36b9f0be31990
Created
August 30, 2023 15:02
Windows Defender LSASS ASR Exclusion Paths - 08.30.2023
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %windir%\system32\WerFaultSecure.exe | |
| %windir%\system32\mrt.exe | |
| %windir%\system32\svchost.exe | |
| %windir%\system32\NETSTAT.EXE | |
| %windir%\system32\wbem\WmiPrvSE.exe | |
| %windir%\system32\DriverStore\FileRepository\*\NVWMI\nvWmi64.exe | |
| %programfiles(x86)%\Microsoft Intune Management Extension\ClientHealthEval.exe | |
| %programfiles(x86)%\Microsoft Intune Management Extension\SensorLogonTask.exe | |
| %programfiles(x86)%\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe | |
| %programdata%\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\*\OpenHandleCollector.exe |
djhohnstein
/ Cleanup-ClickOnce.ps1
Created
June 27, 2023 21:11
— forked from mgeeky/Cleanup-ClickOnce.ps1
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Usage: | |
| # PS> . .\Cleanup-ClickOnce.ps1 | |
| # PS> Cleanup-ClickOnce -Name MyAppName | |
| # | |
| # Other than that you might also try using these commands: | |
| # PS> rundll32 dfshim.dll,ShArpMaintain C:\Path\To\ClickOnce.application | |
| # PS> rundll32 dfshim.dll CleanOnlineAppCache | |
| # |
mgeeky
/ Cleanup-ClickOnce.ps1
Last active
March 18, 2024 16:05
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. Attempts to remove both installed and online-only deployments.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. | |
| # Attempts to remove both installed and online-only deployments. | |
| # | |
| # Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com> | |
| # | |
| # Usage: | |
| # PS> . .\Cleanup-ClickOnce.ps1 | |
| # PS> Cleanup-ClickOnce -Name MyAppName | |
| # |
mgeeky
/ Dynamic_PInvoke_Shellcode.cs
Created
June 22, 2023 19:19
— forked from bohops/Dynamic_PInvoke_Shellcode.cs
Dynamic_PInvoke_Shellcode.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| namespace ShellcodeLoader | |
| { | |
| class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| * Written for a CTF :) | |
| * --- | |
| * Author: Bryan McNulty | |
| * Contact: bryanmcnulty@protonmail.com | |
| * GitHub: https://github.com/bryanmcnulty | |
| * --- | |
| * Dependencies: |
mgeeky
/ gist:82d6abe0508ae81f107689864fb5dfc0
Created
September 6, 2022 12:09
office-to-iso-with-motw.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pack macro-enabled doc to ISO | |
| py PackMyPayload.py Resume1337.xlsm test11.iso | |
| # Apply MOTW on that ISO | |
| Set-Content -Path test11.iso -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' | |
| # Mount it | |
| Mount-DiskImage -ImagePath test11.iso |
christian-taillon
/ follina.spl
Created
June 9, 2022 00:42
Search to look for Follina Adversary activity. Written in SPL for Crowdstrike data; however, content can support queries in other products.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ((((ParentBaseFileName IN ("*WINWORD.EXE" , | |
| "*EXCEL.EXE" , | |
| "*POWERPNT.EXE" , | |
| "*MSPUB.EXE" , | |
| "*VISIO.EXE" , | |
| "*OUTLOOK.EXE" , | |
| "*MSACCESS.EXE" , | |
| "*MSPROJECT.EXE" , | |
| "*ONENOTE.EXE")) | |
| AND ((CommandHistory IN ("*msdt.exe*" , |
bohops
/ Dynamic_PInvoke_Shellcode.cs
Last active
September 25, 2023 17:44
Dynamic_PInvoke_Shellcode.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| namespace ShellcodeLoader | |
| { | |
| class Program |
mgeeky
/ Enumerate-URIHandlers.ps1
Created
January 12, 2022 12:24
Enumerate Windows URI Handlers (Keys in HKEY_CLASSES_ROOT that contain "URL Protocol" values), examples: http:, calculator:, ms-officecmd:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT -ErrorAction SilentlyContinue | Out-Null | |
| $count = 0 | |
| try { | |
| Get-ChildItem HKCR: -ErrorAction SilentlyContinue | ForEach-Object { | |
| if((Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).PSObject.Properties.Name -contains "URL Protocol") { | |
| $name = $_.PSChildName | |
| $count += 1 | |
| $line = "URI Handler {0:d4}: {1}" -f $count, $name | |
| Write-Host $line | |
| } |
NewerOlder