Skip to content

Instantly share code, notes, and snippets.

View gist:02e7b4d5734ea549b08d4827da9c3208
Get-ChildItem -Path c:\ -Recurse | Sort-Object Length -Descending | Select-Object length,name,directory -First 100 | Format-Table -AutoSize
@nguyenl95
nguyenl95 / powershell-non-domain-remoting.md
Created Jan 7, 2020 — forked from cmcginty/powershell-non-domain-remoting.md
Windows Powershell Remoting into Non-Domain Joined System
View powershell-non-domain-remoting.md

Powershell Remoting to a Non-Domain Host

  1. From an admin shell, enable PS remoting on the machine you wish to access:
New-ItemProperty -Name LocalAccountTokenFilterPolicy `
  -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System `
  -PropertyType DWord -Value 1

Enable-PsRemoting -Force
@nguyenl95
nguyenl95 / ida_memdump.py
Created Jan 2, 2020 — forked from herrcore/ida_memdump.py
Dump a blob of memory into a file - IDA Pro script
View ida_memdump.py
import idautils
import idaapi
def memdump(ea, size, file):
data = idc.GetManyBytes(ea, size)
with open(file, "wb") as fp:
fp.write(data)
print "Memdump Success!"
@nguyenl95
nguyenl95 / ida_memdump.py
Created Jan 2, 2020 — forked from herrcore/ida_memdump.py
Dump a blob of memory into a file - IDA Pro script
View ida_memdump.py
import idautils
import idaapi
def memdump(ea, size, file):
data = idc.GetManyBytes(ea, size)
with open(file, "wb") as fp:
fp.write(data)
print "Memdump Success!"
View 0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f
## uploaded by @JohnLaTwC
https://www.virustotal.com/en/file/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f/analysis/
https://docs.microsoft.com/en-us/windows/desktop/api/wininet/nf-wininet-internetconnecta
void InternetConnectA(
HINTERNET hInternet,
LPCSTR lpszServerName,
INTERNET_PORT nServerPort,
LPCSTR lpszUserName,
LPCSTR lpszPassword,
DWORD dwService,
@nguyenl95
nguyenl95 / base64-to-hex.py
Created Nov 13, 2019 — forked from kkirsche/base64-to-hex.py
Decode base64 and convert to hex format, like shellcode
View base64-to-hex.py
#!/usr/bin/env python
from base64 import b64decode
from urllib import unquote
base64_strs = ['xU5LNJhXeo9B6o4Ri%2FxFHodARXWqgtNufNrYzqG05nGOLNboDgJtkw%3D%3D',
'%2BjAd73J7RAZgLxAUkIG5l0cMPLQEBAtZRMP3WdXr1%2BMYdrg2cZKaow%3D%3D']
for bstr in base64_strs:
unquoted_bstr = unquote(bstr)
View StartLogging.xml
<Sysmon schemaversion="4.1">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Event ID 1 == Process Creation. Log all newly created processes except -->
<ProcessCreate onmatch="exclude">
<Image condition="contains">splunk</Image>
<Image condition="contains">btool.exe</Image>
<Image condition="contains">SnareCore</Image>
<Image condition="contains">nxlog</Image>
@nguyenl95
nguyenl95 / install-docker-compose.sh
Last active Oct 17, 2018 — forked from ohze/install-docker-compose.sh
Install docker-compose in boot2docker 1.7.0+
View install-docker-compose.sh
#!/bin.sh
# install bash
# todo how to make persistent bash?
tce-load -wi bash
# then to docker compose
DOCKER_COMPOSE_VERSION=1.22.0
# Download docker-compose to the permanent storage