I hereby claim:
- I am nasbench on github.
- I am nasbench (https://keybase.io/nasbench) on keybase.
- I have a public key ASCERZHjJ7mUyROvWgr41hlUXh_byMkTO918VVCAtXhxbgo
To claim this, I am signing this object:
Nasreddine Bencherchali nasbench
📚
nasbench
/ keybase.md
Created
February 7, 2022 12:42
nasbench
/ fiddlerPOC.cs
Created
June 16, 2022 18:13
A simple fiddler classic extension persistence POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Diagnostics; | |
| using Fiddler; | |
| [assembly: Fiddler.RequiredVersion("2.3.5.0")] | |
| namespace POCFiddlerDotNet | |
| { | |
| public class PersistencePOC : IFiddlerExtension | |
| { | |
| public PersistencePOC() { } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ADPlus Version='2'> | |
| <Settings> | |
| <Option> FullOnFirst </Option> | |
| <Runmode> Hang </Runmode> | |
| <!-- | |
| If you want to run the binary and not dump anything. | |
| Then this can be any process as long as it's running | |
| --> | |
| <ProcessName> notepad.exe </ProcessName> | |
| <OutputDir>C:\temp\</OutputDir> |
nasbench
/ debug-script.txt
Created
November 8, 2022 19:44
Debug script example that can be used to trigger cdb.exe LOLBIN as described in https://twitter.com/nas_bench/status/1534957360032120833
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| as AdpDumpDir C:\logs\20220609_183403_Crash_Mode | |
| .logopen /t "${AdpDumpDir}\ADPlus_log.log" | |
| as AdpOutputDir C:\logs | |
| as AdpDumpDirEsc C:\\logs\\20220609_183403_Crash_Mode | |
| as AdpTimeStamp 20220609_183403 | |
| * | |
| *----- OS and Time Information ---- | |
| vertarget | |
| * | |
| * |
nasbench
/ Microsoft.NodejsTools.PressAnyKey.md
Created
April 11, 2023 14:55
VisualStudio NodejsTools PressAnyKey Arbitrary Binary Execution
This binary can be used as a LOLBIN as described here.
- The arguments number must be at least 3
- The first first argument can be anything (instead of
both,normalorabnormal). Since theswitchclause doesn't specify a default case. And theflagvariable is set totruebefore the check. - The second argument also can be anything and it will be written to the execution path with the contents being the PID of the process
File.WriteAllText(args[1], process.Id.ToString()); - The thrid argument is passed directly to
ProcessStartInfoand is executedProcess.Start(startInfo);. Hence anything can be called
This binary can be used as a LOLBIN as described here
- The arguments flags are meaningless only the order is important. This means as long as you provide exactly 6 flags and their value the binary will still work. Here are the exact positions for reference:
// Usage: --file <fullyResolvedPath> --processId <processId> --dumpType <dumpType>Here are the steps to follow in order to create a malicious CHM file. As used by APT37
- Download the HTML Help Workshop (Htmlhelp.exe) from MSDN. If the link is dead you can use the archive version here
- Once installed you should have a folder
C:\Program Files (x86)\HTML Help Workshopand inside theMicrosoft HTML Help Compiler (hhc.exe) - We need to create 3 files:
- Project File
.hpp - HTML File
.htm
- Project File
- Table of Contents File
.hhc
You can execute commands in the context of an AppX Package to gain access to it's virtualized resources (example virtualized registry keys or files)
nasbench
/ howto.txt
Created
May 5, 2023 10:07
— forked from andrewkroh/howto.txt
Microsoft-Windows-Windows Defender Event Log Message Resources
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 800, AntiVirus | |
| 801, AntiSpyware | |
| 802, Antimalware | |
| 803, Full | |
| 804, Delta | |
| 805, Full Scan | |
| 806, Quick Scan | |
| 807, Custom Scan | |
| 808, Remove | |
| 809, Quarantine |
nasbench
/ shellBigInt.cs
Created
May 6, 2023 22:43
— forked from djhohnstein/shellBigInt.cs
Shellcode Stuffed in BigInteger
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sing System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee |
OlderNewer