Skip to content

Instantly share code, notes, and snippets.

pe3zx pe3zx

Block or report user

Report or block pe3zx

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@pe3zx
pe3zx / malware_carriers_hunting.yar
Last active Oct 13, 2019
Extracted YARA rules from BlackHat USA 2019 talk "Worm Charming - Harvesting Malware Lures for Fun and Profit"
View malware_carriers_hunting.yar
// any Office document with macros.
rule macro_hunter
{
strings:
$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
$macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
$macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
condition:
new_file and (
tags contains "macros" or (
@pe3zx
pe3zx / disable_windows_defender.bat
Created Jul 29, 2019
Disable Windows Defender on Windows 10 1903
View disable_windows_defender.bat
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
@pe3zx
pe3zx / unpacking.py
Created Apr 20, 2019
Unpacking sudoers_timestamp struct
View unpacking.py
import sys
import binascii
import struct
from ctypes import Union, Structure, c_int, c_long, c_ushort, c_uint, c_short
from collections import namedtuple
from pprint import pprint
# struct timestamp_entry {
# unsigned short version; /* version number */
# unsigned short size; /* entry size */
@pe3zx
pe3zx / misp.conf
Last active Jan 20, 2019
Apache2 configuration to enable SSL/TLS support on MISP
View misp.conf
<VirtualHost *:443>
ServerName misp.local
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
View keybase.md

Keybase proof

I hereby claim:

  • I am pe3zx on github.
  • I am pe3z (https://keybase.io/pe3z) on keybase.
  • I have a public key ASAU2yKbpXrwC7sNTh3-BoTC9V9qgbdHXH_LIVbhIf_rcQo

To claim this, I am signing this object:

You can’t perform that action at this time.