Skip to content

Instantly share code, notes, and snippets.

View ssnkhan's full-sized avatar
:atom:

Sajid Nawaz Khan ssnkhan

:atom:
23 followers · 10 following
View GitHub Profile
@MHaggis
MHaggis / conti.cna
Created August 9, 2021 14:15
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@adulau
adulau / hashlookup-circl-lu.md
Last active December 16, 2023 17:13
hashlookup.circl.lu - examples

hashlookup.circl.lu

CIRCL hash lookup is a public API to lookup hash values against known database of files. NSRL RDS database is included. More database will be included in the future. The API is accessible via HTTP ReST API and the API is also described as an OpenAPI.

Get information about the hash lookup database (via ReST)

curl -X 'GET' \
  'https://hashlookup.circl.lu/info' \
 -H 'accept: application/json'
@sixdub
sixdub / beacon.ksy
Created April 6, 2021 21:17
meta:
id: beaconconfig
title: Cobalt Strike Beacon Config
endian: be
doc: |
Cobalt Strike Beacon is a popular offensive security tool. Beacon itself
is a DLL that gets injected into memory and can be staged from C2 servers.
The Beacon DLL (in unencoded form) contains a configuration section that gets
patched by the C2 server. This section is a fixed predictable structure
@dmchell
dmchell / getnamedpipes.cs
Created January 31, 2021 18:43
using System.IO;
using System;
namespace GetNamedPipes
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("[*] Found the following pipes:");
@MHaggis
MHaggis / Beacon.csv
Created December 23, 2020 14:12
Extraction of Spawnto's in public CobaltStrike servers, related to https://twitter.com/M_haggis/status/1341746928665542659?s=20, https://twitter.com/MichalKoczwara/status/1341659356866240517
spawnto count
WUAUCLT.exe 1
WerFault.exe 3
batchexe 2
cmstp.exe 1
compact.exe 1
dllhost.exe 3
eventvwr.exe 1
gpresult.exe 2
gpupdate.exe 16
@peterhurford
peterhurford / install_xelatex_on_mac.txt
Last active April 16, 2024 04:20
How to install latex and xelatex on Mac so that Jupyter "Download as PDF" will work
brew install pandoc
brew tap homebrew/cask
brew install --cask basictex
eval "$(/usr/libexec/path_helper)"
# Update $PATH to include `/usr/local/texlive/2022basic/bin/universal-darwin`
sudo tlmgr update --self
sudo tlmgr install texliveonfly
sudo tlmgr install xelatex
sudo tlmgr install adjustbox
sudo tlmgr install tcolorbox
@0xtornado
0xtornado / 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
Created April 30, 2020 14:11
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}]
@krypted
krypted / gist:605e0fb776d8761750c068234811a842
Created February 1, 2019 14:53
#
#
# Exports the contents of a flat sql dump to csv files with the name of the table.csv and a xls representation of the database
# Requires Python 3.7 (from a Mac, first - brew install python3)
# Prior to running python3 -m pip install pandas
# Prior to running python3 -m pip install openpyxl
# Usage python3 sqlcsvxlsexport.py <sql dump file> <target directory>
# Send accolades for the script to krypted@me.com or hatemail to <devnull>
#
#
@niw
niw / fetch_nike_puls_all_activities.bash
Last active April 10, 2024 08:48
A simple NikePlus API description to fetch past run metrics
#!/usr/bin/env bash
# fetch_nike_puls_all_activities.bash
# A simple bash script to fetch all activities and metrics from NikePlus.
# See `nike_plus_api.md` for the API details.
readonly bearer_token="$1"
if [[ -z "$bearer_token" ]]; then
echo "Usage: $0 bearer_token"
exit
@mgeeky
mgeeky / WMIPersistence.vbs
Last active June 1, 2022 12:58
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
'
' SYNOPSIS:
' WMI Persistence method as originally presented by SEADADDY malware
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' and further documented by Matt Graeber.
'
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'