Skip to content

Instantly share code, notes, and snippets.

View hiddenillusion's full-sized avatar

Glenn hiddenillusion

192 followers · 27 following
View GitHub Profile
@wxsBSD
wxsBSD / base64.md
Created December 3, 2019 03:25
Base64 modifier in YARA 
wxs@wxs-mbp yara % cat rules/test.yara
rule a {
  strings:
    // This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
    // AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
    // AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
    $a = "This program cannot" base64

 // Custom alphabets are supported, but I have it commented out for now. ;)
@williballenthin
williballenthin / TxR.bt
Created November 22, 2019 20:49
010 Editor template for parsing Windows Registry TxR (.regtrans-ms) files
//------------------------------------------------
//--- 010 Editor v8.0.1 Binary Template
//
// File: Transactional Registry Transaction Logs (.TxR)
// Authors: Willi Ballenthin <william.ballenthin@fireeye.com>
// Version: 0.1
// Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html
//------------------------------------------------
LittleEndian();
@williballenthin
williballenthin / macOS_keychain.py
Last active November 19, 2022 12:13
bling.py - extract keys from macOS keychains.
#!/usr/bin/env python3
'''
bling.py - extract keys from macOS keychains.
installation:
pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome
usage:
python bling.py /path/to/keychain-db <password> ./path/to/output/directory
@clong
clong / Native-Windows-Useragentss.txt
Created September 23, 2017 06:41
Native Windows UserAgents for Threat Hunting
Invoke-WebRequest:
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066
System.Net.WebClient.DownloadFile():
None
Start-BitsTransfer:
Microsoft BITS/7.8
certutil.exe:
@williballenthin
williballenthin / stackstrings.yara
Last active July 6, 2023 10:07
match x86 that appears to be stack string creation
rule stack_strings
{
meta:
author = "William Ballenthin"
email = "william.ballenthin@fireeye.com"
license = "Apache 2.0"
copyright = "FireEye, Inc"
description = "Match x86 that appears to be stack string creation."
strings:
@deruke
deruke / Sysmon_only_script
Created September 6, 2017 19:58
if not exist "C:\windows\sysmon_config.xml" (
copy /z /y "\\lab.local\SYSVOL\lab.local\scripts\sysmon\sysmon_config.xml" "C:\windows\"
)
sc query "Sysmon" | Find "RUNNING"
If "%ERRORLEVEL%" EQU "1" (
goto startsysmon
)
:startsysmon
net start Sysmon
@mubix
mubix / schtaskmod.ps1
Last active July 18, 2019 13:29
Modify Scheduled Task
Get-ScheduledTask -TaskName 'XblGameSaveTaskLogon' | % { $_.Actions += New-ScheduledTaskAction -Execute 'calc.exe'; Set-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName -Action $_.Actions }
@leoloobeek
leoloobeek / EventVwrBypass.cs
Last active June 6, 2023 08:50
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active April 22, 2024 19:09
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@clong
clong / scenario.md
Last active March 11, 2019 21:07

Scenario 1 - Detection logic in osquery, alerting logic on backend (Splunk/ELK/StreamAlert)

osquery.conf

"bash_reverse_shell": {
  "query": "SELECT * FROM processes WHERE cmdline LIKE '/bin/bash -i >& /dev/tcp/%';",
  "interval": 30,
  "description": "Looks for processes that resemble a bash reverse shell"
}