Skip to content

Instantly share code, notes, and snippets.

💭
I may be slow to respond.

sasqwatch

💭
I may be slow to respond.
Block or report user

Report or block sasqwatch

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@sasqwatch
sasqwatch / UserWritableLocations.ps1
Created Aug 19, 2019 — forked from hinchley/UserWritableLocations.ps1
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article: http://hinchley.net/2016/06/13/an-approach-for-managing-microsoft-applocker-policies/
View UserWritableLocations.ps1
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
@sasqwatch
sasqwatch / UserWritableLocations.ps1
Created Aug 19, 2019 — forked from caseysmithrc/UserWritableLocations.ps1
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article: http://hinchley.net/2016/06/13/an-approach-for-managing-microsoft-applocker-policies/
View UserWritableLocations.ps1
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
"C:\Windows"
)
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
@sasqwatch
sasqwatch / Disable-Fusion-Log-.NET-Assembly-Binding-Logging.bat
Created Aug 19, 2019 — forked from jpluimers/Disable-Fusion-Log-.NET-Assembly-Binding-Logging.bat
.NET enable and disable Fusion log
View Disable-Fusion-Log-.NET-Assembly-Binding-Logging.bat
reg add "HKLM\Software\Microsoft\Fusion" /v EnableLog /t REG_DWORD /d 0 /f
@sasqwatch
sasqwatch / CompileInMemory.cs
Last active Aug 19, 2019 — forked from TheKevinWang/CompileInMemory.cs
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
View CompileInMemory.cs
using System;
using System.Collections.Generic;
using System.Text;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.IO;
using System.Reflection;
namespace InMemoryCompiler
{
class Program
@sasqwatch
sasqwatch / JankyAF.csproj
Created Aug 19, 2019 — forked from bohops/JankyAF.csproj
Fun loader for Casey Smith's (@subTee) JanyAF.xsl
View JankyAF.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
@sasqwatch
sasqwatch / wifiscan.cmd
Last active Aug 15, 2019 — forked from joswr1ght/wifiscan.cmd
Wi-Fi Scanning at the Windows Command Prompt, FOR loop style
View wifiscan.cmd
FOR /L %N IN () DO @netsh wlan show networks mode=bssid | findstr "^SSID Signal" && ping -n 16 127.0.0.1 >NUL && cls
@sasqwatch
sasqwatch / rbcd_relay.py
Created Aug 9, 2019 — forked from 3xocyte/rbcd_relay.py
poc resource-based constrain delegation relay attack tool
View rbcd_relay.py
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a *very* rough PoC
import SimpleHTTPServer
import SocketServer
import base64
import random
import struct
@sasqwatch
sasqwatch / AWS Security Resources
Created Jul 24, 2019 — forked from chanj/AWS Security Resources
AWS Security Resources
View AWS Security Resources
INTRO
I get asked regularly for good resources on AWS security. This gist collects some of these resources (docs, blogs, talks, open source tools, etc.). Feel free to suggest and contribute.
Short Link: http://tiny.cc/awssecurity
Official AWS Security Resources
* Security Blog - http://blogs.aws.amazon.com/security/
* Security Advisories - http://aws.amazon.com/security/security-bulletins/
* Security Whitepaper (AWS Security Processes/Practices) - http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
* Security Best Practices Whitepaper - http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
@sasqwatch
sasqwatch / .htaccess
Created Jul 17, 2019 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
View .htaccess
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
Define REDIR_TARGET |DESTINATIONURL|
RewriteEngine On
RewriteOptions Inherit
@sasqwatch
sasqwatch / lolbins.json
Created Jun 24, 2019 — forked from MHaggis/lolbins.json
lolbins
View lolbins.json
{
"Powershell": {
"process_name": ["powershell.exe"]
},
"Utilman": {
"process_name": ["utilman.exe"]
},
"msiexec": {
"process_name": ["msiexec.exe"]
},
You can’t perform that action at this time.