Skip to content

Instantly share code, notes, and snippets.

@olliencc
olliencc / Dockerfile
Created Jan 11, 2022
OpenCanarySSHExtending
View Dockerfile
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:toor' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
@olliencc
olliencc / Dockerfile
Created Jan 11, 2022
Excerpts of the ssh module for opencanaryd
View Dockerfile
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:toor' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
@olliencc
olliencc / DLLLoadReasonEnumeratorWithWhen.cpp
Created Jan 7, 2022
Enumerates which DLL loaded when and why for each process via PEB enumeration
View DLLLoadReasonEnumeratorWithWhen.cpp
/*
DLL Load Reason Enumerator for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / AA.cpp
Last active Jan 26, 2022
Enumerates why each DLL loaded for each process via PEB
View AA.cpp
/*
This was the first version - the newer version also includes *When* it was loaded also.
https://gist.github.com/olliencc/e166a64ca211c51eb69111f26ce57bc1
*/
@olliencc
olliencc / WindowsThreadStartModule.cpp
Last active Jan 26, 2022
Thread Start Address Enumerator for Microsoft Windows
View WindowsThreadStartModule.cpp
/*
Thread Start Address Enumerator for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / DetectImpersonatingThreads.cpp
Last active Jan 26, 2022
Detect Windows threads which are impersonating
View DetectImpersonatingThreads.cpp
/*
TEB Detect Impersonating Threads for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / DetectHardwareBreakPointMisuse.cpp
Last active Jan 26, 2022
Detect Windows processes with hardware breakpoints set
View DetectHardwareBreakPointMisuse.cpp
/*
Debug register (hardware breakpoint) misuse detector for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / WindowsVEHusingProcEnumandCountandDecode.cpp
Created Jan 3, 2022
Enumerates processes which use VEH via their PEB and then counts the number of VEHs present - decodes pointers and works out which module they are in
View WindowsVEHusingProcEnumandCountandDecode.cpp
/*
VEH misuse detector for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / WindowsVEHusingProcEnumandCount.cpp
Created Jan 2, 2022
Enumerates processes which use VEH via their PEB and then counts the number of VEHs present
View WindowsVEHusingProcEnumandCount.cpp
/*
VEH misuse detector for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
View WindowsVEHusingProcEnum.cpp
/*
VEH using process enumerator for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/