MITRE ATT4CK - T1132 - Data Encoding
| Base64 Code | Decoded (. = 0x00) | Description | MITRE ID |
|---|---|---|---|
| JAB | $. | Variable declaration (UTF-16) | T1086 |
| TVq | MZ | MZ header | T1001 |
| UEs | PK | ZIP, Office documents | T1001 |
| SUVY | IEX | PowerShell Invoke Expression | T1086 |
quikilr
quikilr
/ Import-ADandGPO.ps1
Created
November 15, 2019 17:35
— forked from nullbind/Import-ADandGPO.ps1
This is an example of how to import the Active Directory and GPO command PowerShell modules on the fly.
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # --------------------------------------------------- | |
| # Load the Active Directory PowerShell module | |
| # --------------------------------------------------- | |
| # $ADModuleBytes = [System.IO.File]::ReadAllBytes("C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ActiveDirectory.Management.dll") | |
| # $ADModuleString = [System.Convert]::ToBase64String($ADModuleBytes) | |
| # Set the string | |
| $ADModuleString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHYH/eAAAAAAAAAAAOAAIiALATAAAOgRAAAIAAAAAAAAxtQRAAAgAAAAIBIAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgEgAAAgAA9F8SAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHPUEQBPAAAAACASACQFAAAAAAAAAAAAAAAAAAAAAAAAAEASAAwAAADA0xEAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA5OcRAAAgAAAA6BEAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNy |
quikilr
/ Base64_CheatSheet.md
Created
October 25, 2019 00:34
— forked from Neo23x0/Base64_CheatSheet.md
Spot Malicious Base64 Encoded Code
quikilr
/ venturing_into_the_dark.txt
Created
September 14, 2019 03:38
— forked from lystena/venturing_into_the_dark.txt
Venturing into the Dark - a review of Dark Side Ops 2: Adversary Simulation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| =========================================================================== | |
| Venturing into the Dark - a review of Dark Side Ops 2: Adversary Simulation | |
| =========================================================================== | |
| --------------------------------------------------------------------------- | |
| Location: BlackHat Las Vegas | |
| Links: https://www.blackhat.com/us-19/training/schedule/#dark-side-ops | |
| ----adversary-simulation-14210 | |
| https://silentbreaksecurity.com/training/dark-side-ops-2-advers | |
| ary-simulation/ | |
| Trainers: Silent Break Security Team (team of 3) |
quikilr
/ kerberos_attacks_cheatsheet.md
Created
August 28, 2019 01:13
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
quikilr
/ .htaccess
Created
July 18, 2019 18:05
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
| # | |
| # Note this version requires Apache 2.4+ | |
| # | |
| Define REDIR_TARGET |DESTINATIONURL| | |
| RewriteEngine On | |
| RewriteOptions Inherit | |
quikilr
/ attack-to-csv.py
Created
May 11, 2019 16:09
— forked from vysecurity/attack-to-csv.py
Get MITRE ATT&CK Framework Techniques by Group in CSV
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from stix2 import FileSystemSource | |
| from stix2 import Filter | |
| from stix2.utils import get_type_from_id | |
| fs = FileSystemSource('./enterprise-attack') | |
| def get_group_by_alias(src): | |
| return src.query([ | |
| Filter('type', '=', 'intrusion-set'), | |
| ]) |
quikilr
/ msbuild_ghostpack_seatbelt.txt
Created
October 25, 2018 10:56
— forked from curi0usJack/msbuild_ghostpack_seatbelt.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <Target Name="NotSubTee"> | |
| <BusinessTime /> | |
| </Target> | |
| <UsingTask | |
| TaskName="BusinessTime" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <ParameterGroup/> | |
| <Task> |
quikilr
/ cobaltstrike_sa.txt
Created
September 28, 2018 22:38
— forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows version: | |
| reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
| Users who have authed to the system: | |
| ls C:\Users\ | |
| System env variables: | |
| reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
| Saved outbound RDP connections: |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |