Skip to content

Instantly share code, notes, and snippets.

@olliencc
olliencc / Dockerfile
Created January 11, 2022 10:00
OpenCanarySSHExtending
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:toor' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
@olliencc
olliencc / Dockerfile
Created January 11, 2022 09:53
Excerpts of the ssh module for opencanaryd
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:toor' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
@olliencc
olliencc / DLLLoadReasonEnumeratorWithWhen.cpp
Created January 7, 2022 13:55
Enumerates which DLL loaded when and why for each process via PEB enumeration
/*
DLL Load Reason Enumerator for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / AA.cpp
Last active October 11, 2023 10:26
Enumerates why each DLL loaded for each process via PEB
/*
This was the first version - the newer version also includes *When* it was loaded also.
https://gist.github.com/olliencc/e166a64ca211c51eb69111f26ce57bc1
*/
@olliencc
olliencc / WindowsThreadStartModule.cpp
Last active January 26, 2022 06:21
Thread Start Address Enumerator for Microsoft Windows
/*
Thread Start Address Enumerator for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / DetectImpersonatingThreads.cpp
Last active July 5, 2024 23:40
Detect Windows threads which are impersonating
/*
TEB Detect Impersonating Threads for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / DetectHardwareBreakPointMisuse.cpp
Last active March 2, 2023 01:17
Detect Windows processes with hardware breakpoints set
/*
Debug register (hardware breakpoint) misuse detector for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / WindowsVEHusingProcEnumandCountandDecode.cpp
Created January 3, 2022 14:01
Enumerates processes which use VEH via their PEB and then counts the number of VEHs present - decodes pointers and works out which module they are in
/*
VEH misuse detector for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
@olliencc
olliencc / WindowsVEHusingProcEnumandCount.cpp
Created January 2, 2022 10:25
Enumerates processes which use VEH via their PEB and then counts the number of VEHs present
/*
VEH misuse detector for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/
/*
VEH using process enumerator for Microsoft Windows
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
Released under AGPL see LICENSE for more information
*/