Ollie olliencc
olliencc
/ WindowsVEHusingProcEnumandCount.cpp
Created
January 2, 2022 10:25
Enumerates processes which use VEH via their PEB and then counts the number of VEHs present
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| VEH misuse detector for Microsoft Windows | |
| Released as open source by NCC Group Plc - http://www.nccgroup.com/ | |
| Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com | |
| Released under AGPL see LICENSE for more information | |
| */ |
olliencc
/ WindowsVEHusingProcEnumandCountandDecode.cpp
Created
January 3, 2022 14:01
Enumerates processes which use VEH via their PEB and then counts the number of VEHs present - decodes pointers and works out which module they are in
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| VEH misuse detector for Microsoft Windows | |
| Released as open source by NCC Group Plc - http://www.nccgroup.com/ | |
| Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com | |
| Released under AGPL see LICENSE for more information | |
| */ |
olliencc
/ DetectImpersonatingThreads.cpp
Last active
December 19, 2023 03:03
Detect Windows threads which are impersonating
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| TEB Detect Impersonating Threads for Microsoft Windows | |
| Released as open source by NCC Group Plc - http://www.nccgroup.com/ | |
| Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com | |
| Released under AGPL see LICENSE for more information | |
| */ |
olliencc
/ nccgroupcanaryhttps.py
Last active
November 16, 2023 07:20
A Thinkst canary user module which listens on HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| INCIDENT_NAME = "NCCGROUPHTTPS" | |
| VERSION = "0.1" | |
| MODULE_DESCRIPTION = "NCCGROUPHTTPS" | |
| AUTHOR = "Ollie Whitehouse" | |
| AUTHOR_EMAIL = "ollie.whitehouse@nccgroup.com" | |
| CERT_FILE = "/tmp/selfsigned.crt" | |
| KEY_FILE = "/tmp/private.key" | |
| from opencanary.modules import CanaryService |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| This was the first version - the newer version also includes *When* it was loaded also. | |
| https://gist.github.com/olliencc/e166a64ca211c51eb69111f26ce57bc1 | |
| */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| import hmac | |
| import binascii | |
| import base64 | |
| import sys | |
| import struct | |
| from Crypto.Cipher import AES | |
| HASH_ALGO = hashlib.sha256 | |
| SIG_SIZE = HASH_ALGO().digest_size |
olliencc
/ log4j2-class-md5sum.txt
Last active
May 2, 2023 06:43
log4j2 CVE-2021-44228 patched three class files - https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=c77b3cb - below are the inner class files (i.e. not jar) for each release to help locate vulnerable versions. Note: 2.0.15 was the patched version and is not vulnerable.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 04fdd701809d17465c17c7e603b1b202 ./2.11.0/apache-log4j-2.11.0-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| 415c13e7c8505fb056d540eac29b72fa ./2.8/apache-log4j-2.8-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| 415c13e7c8505fb056d540eac29b72fa ./2.8.1/apache-log4j-2.8.1-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| 04fdd701809d17465c17c7e603b1b202 ./2.9.0/apache-log4j-2.9.0-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| 8b2260b1cce64144f6310876f94b1638 ./2.4.1/apache-log4j-2.4.1-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| a193703904a3f18fb3c90a877eb5c8a7 ./2.8.2/apache-log4j-2.8.2-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| 3bd9f41b89ce4fe8ccbf73e43195a5ce ./2.6.1/apache-log4j-2.6.1-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| 04fdd701809d17465c17c7e603b1b202 ./2.11.2/apache-log4j-2.11.2-bin/org/apache/logging/log4j/core/net/JndiManager.class | |
| 21f055b62c15453f0d7970a9d994cab7 ./2.13.0/apache-log4j-2.13.0-bin/org/apache/logging/lo |
olliencc
/ DetectHardwareBreakPointMisuse.cpp
Last active
March 2, 2023 01:17
Detect Windows processes with hardware breakpoints set
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Debug register (hardware breakpoint) misuse detector for Microsoft Windows | |
| Released as open source by NCC Group Plc - http://www.nccgroup.com/ | |
| Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com | |
| Released under AGPL see LICENSE for more information | |
| */ |
olliencc
/ WindowsExtensionMapCSVPlus.bat
Created
June 29, 2020 20:28
Enumerate via various methods what opens what on Windows 10 using only batch/cmd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
| REM °² Enumerates all files extensions ²° | |
| REM °² and what opens them on Windows 10 in batch/cmd ²° | |
| REM °² twitter: @ollieatnccgroup ²° | |
| REM °²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²° | |
| REM ------------------------------------------------------ | |
| REM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.io.File; | |
| import java.util.Base64; | |
| import common.CommonUtils; | |
| import java.security.KeyPair; | |
| class DumpKeys | |
| { | |
| public static void main(String[] args) | |
| { | |
| try { |
NewerOlder