Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

netbiosX netbiosX

🎯
Focusing
View GitHub Profile
View COMPlus_ETWEnabled_detection_notes.md

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
  • Windows
View gadget2jscriptQueueAPCInject.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Net;
using System.IO.Compression;
public class Payload
{
@MSAdministrator
MSAdministrator / iranian_apit_groups_possible_commands.md
Last active Sep 20, 2022
Iranian APT Groups & Possible Commands Used By These Groups
View iranian_apit_groups_possible_commands.md

Overview

The following content is generated using a preview release of Swimlane's pyattck.

This snippet of data is scoped to the following actor groups:

  • APT33
  • APT34
  • APT39
  • Charming Kitten
View Invoke-Procdump.ps1
$Source = @"
using System;
using System.Runtime.InteropServices;
namespace ProcDump {
public static class DbgHelp {
[DllImport("Dbghelp.dll")]
public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
}
}
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active Sep 16, 2022
Learning Aid - Top Base64 Encodings Table
View Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
@Graph-X
Graph-X / ironregistry.py
Last active Oct 1, 2019
PoC for hiding things in the registry. My testing hasn't returned any errors when viewing in regedit
View ironregistry.py
from Microsoft.Win32 import Registry
from time import sleep
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
rkey.SetValue(u'\x00 this is a test',u'\x00look at me!')
rkey.Close()
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
values = rkey.GetValueNames()
print("We have {0} values.".format(str(len(values))))
print("The value names returned are: {0}.".format(values[0]))
value = rkey.GetValue(u'\x00 this is a test')
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019
A cheatsheet with commands that can be used to perform kerberos attacks
View kerberos_attacks_cheatsheet.md

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

View mimistack
143 function Invoke-Mimidogz
140 function Invoke-Mimikatz
29 function Invoke-Mimi
10 function Chokorun
7 function Invoke-Ttest
7 function Invoke-Mimiwormz
7 function Invoke-Me
6 function Invoke-Mimiturtle
6 function Invoke-Mimimi
5 function output
@dtmsecurity
dtmsecurity / sharpgen.cna
Created Nov 8, 2018
SharpGen Aggressor Beacon Wrapper
View sharpgen.cna
$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";
beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");
alias sharpgen{
$executionId = "sharpgen_" . int(rand() * 100000);
$temporaryCsharp = $temppath . $executionId . ".cs";
$executableFilename = $temppath . $executionId . ".exe";
@brettmillerb
brettmillerb / PowershellTwitterList.md
Last active Jan 8, 2020
Generate a list of displaynames/handles from Powershell Twitter List
View PowershellTwitterList.md
DisplayName                          Twitterhandle   
-----------                          -------------   
fr016                                @fr0161         
chgopsug                             @chgopsug       
Kevin Bates                          @_bateskevin    
Danny Maertens                       @maertend33     
Julien Reisdorffer                   @JReisdorffer   
Ben Reader                           @powers_hell