soxfmr

## MITRE_Attack_WindowsAppControl.csv

          
            ID
            Name
            MitigatedByAppControl
            Notes

            
              T1001
              Data Obfuscation
              Not Applicable
              Relevant sub-techniques addressed below

            
              T1001.001
              Junk Data
              No
              Technique is not necessarily related to the execution of arbitrary code on an endpoint.

            
              T1001.002
              Steganography
              Limited
              If custom attacker code were necessary to perform this technique, it would be prevented.

            
              T1001.003
              Protocol Impersonation
              Limited
              If custom attacker code were necessary to perform this technique, it would be prevented.

            
              T1003
              OS Credential Dumping
              Not Applicable
              Relevant sub-techniques addressed below

            
              T1003.001
              LSASS Memory
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.002
              Security Account Manager
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.003
              NTDS
              Limited
              Built-in utilities exist to perform this technique. They would have to be explicitly blocked.

            
              T1003.004
              LSA Secrets
              Limited
              Built-in utilities exist to perform this technique.

## netrelease.ps1
# based on NetCease: https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b

# can be deployed on a per-host basis using this script - e.g. via something like SCCM
#   or, once deployed to one host, can be deployed via GPO Registry preferences by copying the set registry value
#   (lanmanserver still needs to be restarted when done this way)
#     see: https://adsecurity.org/?p=3299 -> Disable Windows Legacy & Typically Unused Features -> Disable Net Session Enumeration (NetCease)

# constants
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
$name = "SrvsvcSessionInfo"

## userafterfree_exploit.py
from socket import *
import struct

controller = None
puppet = None

class ChatClient:
    def __init__(self, server):
        self._server = server
        self._sock = socket(AF_INET, SOCK_STREAM, 0)

## goGetPrivate.md

      
              1 file
            
          
              14 forks
            
          
              14 comments
            
          
              76 stars
            
          
                StevenACoffman
                / goGetPrivate.md
            
            
              Last active
              April 28, 2024 13:59
                — forked from dmitshur/gist:6927554
            
              
                How to `go get` private repos using SSH key auth instead of password auth.
              
          
    Set GOPRIVATE to match your github organization

Cloning the repo using one of the below techniques should correctly but you may still getting an unrecognized import error.
As it stands for Go v1.13, I found in the doc that we should use the GOPRIVATE variable like so:
GOPRIVATE=github.com/ORGANISATION_OR_USER_NAME go get -u -f github.com/ORGANISATION_OR_USER_NAME/REPO_NAME

The 'go env -w' command (see 'go help env') can be used to set these variables for future go command invocations.
How to go get private repos using SSH key auth instead of password auth.


## idapython_cheatsheet.md

      
              1 file
            
          
              51 forks
            
          
              6 comments
            
          
              252 stars
            
          
                icecr4ck
                / idapython_cheatsheet.md
            
            
              Last active
              April 23, 2024 18:45
            
              
                Cheatsheet for IDAPython
              
          
    IDAPython cheatsheet

Important links


Porting IDAPython plugins to IDA 7.4
Hex-Rays IDAPython official documentation

Basic commands

Get informations on the binary


## ANSI.md

      
              1 file
            
          
              394 forks
            
          
              107 comments
            
          
              2948 stars
            
          
                fnky
                / ANSI.md
            
            
              Last active
              May 9, 2024 15:36
            
              
                ANSI Escape Codes
              
          
    ANSI Escape Sequences

Standard escape codes are prefixed with Escape:

Ctrl-Key: ^[
Octal: \033
Unicode: \u001b
Hexadecimal: \x1B
Decimal: 27


## Shellcode.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## msf_install.sh
# Install Oracle Java 8
apt-get install software-properties-common
add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" && apt-get update
apt-get install oracle-java8-installer

# Installing Dependencies
apt-get update
apt-get upgrade
apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev

## eternalblue7_exploit.py
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb
from struct import pack
import sys
import socket

'''
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

## ctags-solidity
vim ~/.ctags
--langdef=Solidity
--langmap=Solidity:.sol
--regex-Solidity=/^contract[ \t]+([a-zA-Z0-9_]+)/\1/c,contract/
--regex-Solidity=/[ \t]*function[ \t]+([a-zA-Z0-9_]+)/\1/f,function/
--regex-Solidity=/[ \t]*event[ \t]+([a-zA-Z0-9_]+)/\1/e,event/
--regex-Solidity=/[ \t]*(struct[ \t]+[a-zA-Z0-9_]+)([ \t]*\{)/\1/v,variable/
--regex-Solidity=/[ \t]*(enum[ \t]+[a-zA-Z0-9_]+)([ \t]*\{)/\1/v,variable/
--regex-Solidity=/[ \t]*mapping[ \t]+\(([a-zA-Z0-9_]+)[ \t]*=>[ \t]*([a-zA-Z0-9_]+)\)[ \t]+([a-zA-Z0-9_]+)/\3 (\1=>\2)/m,mapping/
ID	Name	MitigatedByAppControl	Notes
T1001	Data Obfuscation	Not Applicable	Relevant sub-techniques addressed below
T1001.001	Junk Data	No	Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002	Steganography	Limited	If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003	Protocol Impersonation	Limited	If custom attacker code were necessary to perform this technique, it would be prevented.
T1003	OS Credential Dumping	Not Applicable	Relevant sub-techniques addressed below
T1003.001	LSASS Memory	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002	Security Account Manager	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003	NTDS	Limited	Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004	LSA Secrets	Limited	Built-in utilities exist to perform this technique.
	# based on NetCease: https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b

	# can be deployed on a per-host basis using this script - e.g. via something like SCCM
	# or, once deployed to one host, can be deployed via GPO Registry preferences by copying the set registry value
	# (lanmanserver still needs to be restarted when done this way)
	# see: https://adsecurity.org/?p=3299 -> Disable Windows Legacy & Typically Unused Features -> Disable Net Session Enumeration (NetCease)

	# constants
	$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
	$name = "SrvsvcSessionInfo"
	from socket import *
	import struct

	controller = None
	puppet = None

	class ChatClient:
	def __init__(self, server):
	self._server = server
	self._sock = socket(AF_INET, SOCK_STREAM, 0)
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	# Install Oracle Java 8
	apt-get install software-properties-common
	add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" && apt-get update
	apt-get install oracle-java8-installer

	# Installing Dependencies
	apt-get update
	apt-get upgrade
	apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev
	#!/usr/bin/python
	# This file has no update anymore. Please see https://github.com/worawit/MS17-010
	from impacket import smb
	from struct import pack
	import sys
	import socket

	'''
	EternalBlue exploit for Windows 7/2008 by sleepya
	The exploit might FAIL and CRASH a target system (depended on what is overwritten)
	vim ~/.ctags
	--langdef=Solidity
	--langmap=Solidity:.sol
	--regex-Solidity=/^contract[ \t]+([a-zA-Z0-9_]+)/\1/c,contract/
	--regex-Solidity=/[ \t]*function[ \t]+([a-zA-Z0-9_]+)/\1/f,function/
	--regex-Solidity=/[ \t]*event[ \t]+([a-zA-Z0-9_]+)/\1/e,event/
	--regex-Solidity=/[ \t](struct[ \t]+[a-zA-Z0-9_]+)([ \t]\{)/\1/v,variable/
	--regex-Solidity=/[ \t](enum[ \t]+[a-zA-Z0-9_]+)([ \t]\{)/\1/v,variable/
	--regex-Solidity=/[ \t]mapping[ \t]+\(([a-zA-Z0-9_]+)[ \t]=>[ \t]*([a-zA-Z0-9_]+)\)[ \t]+([a-zA-Z0-9_]+)/\3 (\1=>\2)/m,mapping/