GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
#requires -version 5 | |
<# | |
The things you find on Google searching for specific GUIDs... | |
Known Keyword friendly names: | |
"UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328" | |
"UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664" | |
"UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832" | |
"UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648" |
::############################################################################################################### | |
:: Credits and More info: https://gist.github.com/mackwage/08604751462126599d7e52f233490efe | |
:: https://github.com/LOLBAS-Project/LOLBAS | |
:: https://lolbas-project.github.io/ | |
:: https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
:: https://github.com/cryps1s/DARKSURGEON/tree/master/configuration/configuration-scripts | |
:: https://gist.github.com/alirobe/7f3b34ad89a159e6daa1#file-reclaimwindows10-ps1-L71 | |
:: https://github.com/teusink/Home-Security-by-W10-Hardening | |
:: | |
::############################################################################################################### |
# Parser for chess games from Chess.com | |
# Cleans everything between {} | |
#ORIG:1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50} | |
#CLEANED: 1.d4 e6 2.Nc3 Nf6 3.Bf4 d5 4.f3 a6 5.Qd2 Bb4 6.O-O-O c5 7.a3 Ba5 8.dxc5 Bc7 9.Bxc7 Qxc7 10.g4 Qxc5 11.h4 Qf2 12.g5 Nh5 13.Ne4 dxe4 14.Qd8# | |
$game = '1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50}' | |
$regex = '\{(.*?)\}' | |
$cleanedgame = $txt -replace $regex, '' | |
$cleanedgame |
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
#!/usr/bin/env python | |
''' | |
Utility to check for processes running with non-ASLR-compatible components. | |
Run with Administrative privileges to get visibility into all processes. | |
(1a) psutil: https://pypi.org/project/psutil/ | |
Installed via PIP | |
-OR- | |
(1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls |
# Based on a hint by @tiraniddo in chat today on Matt's Twitch Stream - https://www.twitch.tv/mattifestation | |
# Context: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md | |
# What does the script do?: | |
# Get a list of blocked filenames from the hashes in Microsoft recommended block rules. | |
# Result | |
# Some strange filenames from hashes in VT output, for e.g.169339.ps1 | |
# Some hashes do not exist in VT. |
<?xml version="1.0" encoding="utf-8"?> | |
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.0.0</VersionEx> | |
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:Unsigned System Integrity Policy</Option> | |
</Rule> | |
<Rule> |
from selenium import webdriver | |
from selenium.webdriver.common.by import By | |
from selenium.webdriver.support.ui import WebDriverWait | |
from selenium.webdriver.support import expected_conditions as EC | |
import time | |
# Make sure chrome driver is in your path, | |
# full download totorial on official python selenium website. | |
# Start broswer with sudoku.com |