Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule bitrat_2_mem | |
{ | |
meta: | |
description = "BitRAT" | |
author = "James_inthe_box" | |
reference = "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b" | |
date = "2021/06" | |
maltype = "RAT" | |
strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
for url in $(cat domains.txt) | |
do | |
if curl --output /dev/null --silent --head --fail "$url"; then | |
printf "$url \\n" | |
else | |
: | |
fi | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Script author: Matt Graeber (@mattifestation) | |
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
# Do your malicious things here that would be logged by AMSI | |
# logman stop AMSITrace -ets | |
$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
$OSArch = $OSArchProperty.OSArchitecture | |
$OSPointerSize = 32 | |
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -Modules AzureRM.Profile, AzureAD | |
$DeviceObjectId = '' # Set an objectID for a device | |
$SubScriptionID = '' # change with your subscription ID | |
Add-AzureRmAccount | |
$Subscription = Select-AzureRmSubscription -Subscription $SubScriptionID | |
$currentAzureContext = Get-AzureRmContext -Name $Subscription.Name | |
$TenantId = $currentAzureContext.Tenant.Id | |
$tokenCache = $currentAzureContext.TokenCache | |
$Cache = $tokenCache.ReadItems().Where({$_.ExpiresOn -gt (Get-Date) -and $_.TenantId -eq $TenantId })[0] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import os | |
import sys | |
import json | |
import urllib | |
import urllib2 | |
import hashlib | |
import argparse | |
from slacker import Slacker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*ExecuteShellCommand* | |
*GetDelegateForFunctionPointer* | |
*GetModuleHandle* | |
*GetProcAddress* | |
*Groups.User.Properties.cpassword* | |
*IMAGE_NT_OPTIONAL_HDR64_MAGIC* | |
*InteropServices.HandleRef* | |
*kernel32.dll* | |
*LSA_UNICODE_STRING* | |
*Management.Automation.RuntimeException* |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
. | |
.. | |
........ | |
@ | |
* | |
*.* | |
*.*.* | |
🎠|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### | |
### | |
### UPDATE: For Win 11, I recommend using this tool in place of this script: | |
### https://christitus.com/windows-tool/ | |
### https://github.com/ChrisTitusTech/winutil | |
### https://www.youtube.com/watch?v=6UQZ5oQg8XA | |
### iwr -useb https://christitus.com/win | iex | |
### | |
### |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
This is a Microsoft Sysmon configuation to be used on Windows server systems | |
v0.2.1 December 2016 | |
Florian Roth | |
The focus of this configuration is | |
- hacking activity on servers / lateral movement (bad admin, attacker) | |
It is not focussed on | |
- malware detection (execution) | |
- malware detection (network connections) |
NewerOlder