Paul Michaud pmichaudrc

## Update_Notes.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                pmichaudrc
                / Update_Notes.md
            
            
              Created
              February 8, 2022 13:21
            
              
                You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
              
          
    Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.
xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

  
## sc.js
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
// Test


new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP

var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> 	<file name="dynwrapx.dll">     	<comClass         	description="DynamicWrapperX Class"         	clsid="{89565276-A714-4a43-912E-978B935EDCCC}"         	threadingModel="Both"         	progid="DynamicWrapperX"/> 	</file>  </assembly>';

## allthesysmon.xml
<Sysmon schemaversion="4.81">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <EventFiltering>
        <!--Event ID 1: Process creation-->
        <ProcessCreate onmatch="exclude"></ProcessCreate>
        <!--Event ID 2: A process changed a file creation time-->
        <FileCreateTime onmatch="exclude"></FileCreateTime>
        <!--Event ID 3: Network connection-->
        <NetworkConnect onmatch="exclude"></NetworkConnect>
        <!--Event ID 5: Process terminated-->

## Reset-KrbtgtKeyInteractive.ps1
<#----------------------------------------------------------------------------------------------------
Release Notes:

    v1.4:
        Author: Jared Poeppelman, Microsoft
        First version published on TechNet Script Gallery
----------------------------------------------------------------------------------------------------#>

function Test-Command
    {

## Base64_CheatSheet.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                pmichaudrc
                / Base64_CheatSheet.md
            
            
              Created
              November 25, 2020 13:17
                — forked from Neo23x0/Base64_CheatSheet.md
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Learning Aid - Top Base64 Encodings Table


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16)


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)
	//Example Reference:
	// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
	// Test


	new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
	// Change that C:\\Tools to a location you specify, or dynamically find current directory.
	// ActCTX will search for the DLL in TMP

	var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
	<Sysmon schemaversion="4.81">
	<HashAlgorithms>md5,sha256</HashAlgorithms>
	<EventFiltering>
	<!--Event ID 1: Process creation-->
	<ProcessCreate onmatch="exclude"></ProcessCreate>
	<!--Event ID 2: A process changed a file creation time-->
	<FileCreateTime onmatch="exclude"></FileCreateTime>
	<!--Event ID 3: Network connection-->
	<NetworkConnect onmatch="exclude"></NetworkConnect>
	<!--Event ID 5: Process terminated-->
	<#----------------------------------------------------------------------------------------------------
	Release Notes:

	v1.4:
	Author: Jared Poeppelman, Microsoft
	First version published on TechNet Script Gallery
	----------------------------------------------------------------------------------------------------#>

	function Test-Command
	{
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)