| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
silence-is-best
/ gist:5e182a5d3d33b29eb68412698bd97f02
Created
June 10, 2021 17:06
Bitrat yara sigs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule bitrat_2_mem | |
| { | |
| meta: | |
| description = "BitRAT" | |
| author = "James_inthe_box" | |
| reference = "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b" | |
| date = "2021/06" | |
| maltype = "RAT" | |
| strings: |
Neo23x0
/ Base64_CheatSheet.md
Last active
March 10, 2024 09:15
Learning Aid - Top Base64 Encodings Table
jgamblin
/ websiteup.sh
Created
September 3, 2018 13:42
Simple Bash Script To Take A Long List Of Domains And Return Only Ones With Webpages.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| for url in $(cat domains.txt) | |
| do | |
| if curl --output /dev/null --silent --head --fail "$url"; then | |
| printf "$url \\n" | |
| else | |
| : | |
| fi | |
| done |
mattifestation
/ AMSIScriptContentRetrieval.ps1
Created
June 18, 2018 00:47
PoC code used to demonstrate extracting script contents using the AMSI ETW provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script author: Matt Graeber (@mattifestation) | |
| # logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # Do your malicious things here that would be logged by AMSI | |
| # logman stop AMSITrace -ets | |
| $OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
| $OSArch = $OSArchProperty.OSArchitecture | |
| $OSPointerSize = 32 | |
| if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
markekraus
/ Get-AADBitLockerRcoveryKey.ps1
Last active
June 6, 2018 12:26
Get BitLocker Recovery Key from Azure AD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Modules AzureRM.Profile, AzureAD | |
| $DeviceObjectId = '' # Set an objectID for a device | |
| $SubScriptionID = '' # change with your subscription ID | |
| Add-AzureRmAccount | |
| $Subscription = Select-AzureRmSubscription -Subscription $SubScriptionID | |
| $currentAzureContext = Get-AzureRmContext -Name $Subscription.Name | |
| $TenantId = $currentAzureContext.Tenant.Id | |
| $tokenCache = $currentAzureContext.TokenCache | |
| $Cache = $tokenCache.ReadItems().Where({$_.ExpiresOn -gt (Get-Date) -and $_.TenantId -eq $TenantId })[0] |
jgamblin
/ vtslack.py
Last active
November 15, 2021 05:02
Scan a Folder and Upload VT Findings to Slack.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import os | |
| import sys | |
| import json | |
| import urllib | |
| import urllib2 | |
| import hashlib | |
| import argparse | |
| from slacker import Slacker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *ExecuteShellCommand* | |
| *GetDelegateForFunctionPointer* | |
| *GetModuleHandle* | |
| *GetProcAddress* | |
| *Groups.User.Properties.cpassword* | |
| *IMAGE_NT_OPTIONAL_HDR64_MAGIC* | |
| *InteropServices.HandleRef* | |
| *kernel32.dll* | |
| *LSA_UNICODE_STRING* | |
| *Management.Automation.RuntimeException* |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| . | |
| .. | |
| ........ | |
| @ | |
| * | |
| *.* | |
| *.*.* | |
| 🎠|
alirobe
/ reclaimWindows10.ps1
Last active
April 26, 2024 17:59
This Windows 10 Setup Script turns off a bunch of unnecessary Windows 10 telemetery, bloatware, & privacy things. Not guaranteed to catch everything. Review and tweak before running. Reboot after running. Scripts for reversing are included and commented. Fork of https://github.com/Disassembler0/Win10-Initial-Setup-Script (different defaults). N.…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### | |
| ### | |
| ### UPDATE: For Win 11, I recommend using this tool in place of this script: | |
| ### https://christitus.com/windows-tool/ | |
| ### https://github.com/ChrisTitusTech/winutil | |
| ### https://www.youtube.com/watch?v=6UQZ5oQg8XA | |
| ### iwr -useb https://christitus.com/win | iex | |
| ### | |
| ### |
Neo23x0
/ config-server.xml
Last active
March 11, 2024 14:34
Sysmon Base Configuration - Windows Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| This is a Microsoft Sysmon configuation to be used on Windows server systems | |
| v0.2.1 December 2016 | |
| Florian Roth | |
| The focus of this configuration is | |
| - hacking activity on servers / lateral movement (bad admin, attacker) | |
| It is not focussed on | |
| - malware detection (execution) | |
| - malware detection (network connections) |
NewerOlder