nguyenl95

## configure.sh
#!/usr/bin/env bash
# Production settings for Elasticsearch in Ubuntu 16.04

set -eux

CURRENT_USER=$(whoami)
CURRENT_DIR=$(dirname $0)

cd ${CURRENT_DIR}

## mount-shared-folder-linux.sh
# use x.sh <share-name> <mounted-folder>

sudo vmhgfs-fuse .host:/${1} ${2} -o allow_other -o uid=1000

## StartLogging.xml
<Sysmon schemaversion="4.1">
   <!-- Capture all hashes -->
   <HashAlgorithms>*</HashAlgorithms>
   <EventFiltering>
      <!-- Event ID 1 == Process Creation. Log all newly created processes except -->
      <ProcessCreate onmatch="exclude">
	      <Image condition="contains">splunk</Image>
	      <Image condition="contains">btool.exe</Image>
	      <Image condition="contains">SnareCore</Image>
	      <Image condition="contains">nxlog</Image>

## base64-to-hex.py
#!/usr/bin/env python

from base64 import b64decode
from urllib import unquote

base64_strs = ['xU5LNJhXeo9B6o4Ri%2FxFHodARXWqgtNufNrYzqG05nGOLNboDgJtkw%3D%3D',
         '%2BjAd73J7RAZgLxAUkIG5l0cMPLQEBAtZRMP3WdXr1%2BMYdrg2cZKaow%3D%3D']

for bstr in base64_strs:
    unquoted_bstr = unquote(bstr)

## 0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f
## uploaded by @JohnLaTwC
https://www.virustotal.com/en/file/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f/analysis/
https://docs.microsoft.com/en-us/windows/desktop/api/wininet/nf-wininet-internetconnecta
void InternetConnectA(
  HINTERNET     hInternet,
  LPCSTR        lpszServerName,
  INTERNET_PORT nServerPort,
  LPCSTR        lpszUserName,
  LPCSTR        lpszPassword,
  DWORD         dwService,

## ida_memdump.py
import idautils
import idaapi

def memdump(ea, size, file):
    data = idc.GetManyBytes(ea, size)
    with open(file, "wb") as fp:
        fp.write(data)
        print "Memdump Success!"

## ida_memdump.py
import idautils
import idaapi

def memdump(ea, size, file):
    data = idc.GetManyBytes(ea, size)
    with open(file, "wb") as fp:
        fp.write(data)
        print "Memdump Success!"

## powershell-non-domain-remoting.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                nguyenl95
                / powershell-non-domain-remoting.md
            
            
              Created
              January 7, 2020 16:58
                — forked from cmcginty/powershell-non-domain-remoting.md
            
              
                Windows Powershell Remoting into Non-Domain Joined System
              
          
    Powershell Remoting to a Non-Domain Host


From an admin shell, enable PS remoting on the machine you wish to access:

New-ItemProperty -Name LocalAccountTokenFilterPolicy `
  -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System `
  -PropertyType DWord -Value 1

Enable-PsRemoting -Force

  
## gist:02e7b4d5734ea549b08d4827da9c3208
Get-ChildItem -Path c:\ -Recurse | Sort-Object Length -Descending | Select-Object length,name,directory -First 100 | Format-Table -AutoSize

## install-vmware-tools
The file install-vmware-tools is from REMnux v6 scripts: https://launchpad.net/~remnux/+archive/ubuntu/stable/+files/remnux-scripts_0.1.50.tar.gz

install-vmware-tools_TrietPTM is my patch for the "install-vmware-tools" script that’s present on REMnux v6 to fix a compatibility issue between VMware Tools and the Linux kernel included in Ubuntu, which prevents shared folders from working.

Other Ways You Can Help With REMnux: https://zeltser.com/remnux-v6-release-for-malware-analysis/
	#!/usr/bin/env bash
	# Production settings for Elasticsearch in Ubuntu 16.04

	set -eux

	CURRENT_USER=$(whoami)
	CURRENT_DIR=$(dirname $0)

	cd ${CURRENT_DIR}
	# use x.sh <share-name> <mounted-folder>

	sudo vmhgfs-fuse .host:/${1} ${2} -o allow_other -o uid=1000
	<Sysmon schemaversion="4.1">
	<!-- Capture all hashes -->
	<HashAlgorithms>*</HashAlgorithms>
	<EventFiltering>
	<!-- Event ID 1 == Process Creation. Log all newly created processes except -->
	<ProcessCreate onmatch="exclude">
	<Image condition="contains">splunk</Image>
	<Image condition="contains">btool.exe</Image>
	<Image condition="contains">SnareCore</Image>
	<Image condition="contains">nxlog</Image>
	#!/usr/bin/env python

	from base64 import b64decode
	from urllib import unquote

	base64_strs = ['xU5LNJhXeo9B6o4Ri%2FxFHodARXWqgtNufNrYzqG05nGOLNboDgJtkw%3D%3D',
	'%2BjAd73J7RAZgLxAUkIG5l0cMPLQEBAtZRMP3WdXr1%2BMYdrg2cZKaow%3D%3D']

	for bstr in base64_strs:
	unquoted_bstr = unquote(bstr)
	## uploaded by @JohnLaTwC
	https://www.virustotal.com/en/file/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f/analysis/
	https://docs.microsoft.com/en-us/windows/desktop/api/wininet/nf-wininet-internetconnecta
	void InternetConnectA(
	HINTERNET hInternet,
	LPCSTR lpszServerName,
	INTERNET_PORT nServerPort,
	LPCSTR lpszUserName,
	LPCSTR lpszPassword,
	DWORD dwService,
	import idautils
	import idaapi

	def memdump(ea, size, file):
	data = idc.GetManyBytes(ea, size)
	with open(file, "wb") as fp:
	fp.write(data)
	print "Memdump Success!"
	The file install-vmware-tools is from REMnux v6 scripts: https://launchpad.net/~remnux/+archive/ubuntu/stable/+files/remnux-scripts_0.1.50.tar.gz

	install-vmware-tools_TrietPTM is my patch for the "install-vmware-tools" script that’s present on REMnux v6 to fix a compatibility issue between VMware Tools and the Linux kernel included in Ubuntu, which prevents shared folders from working.

	Other Ways You Can Help With REMnux: https://zeltser.com/remnux-v6-release-for-malware-analysis/