GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Sunny Chakraborty sunnyc7
sunnyc7
/ TLGMetadataParser.psm1
Created
September 29, 2020 15:27
— forked from mattifestation/TLGMetadataParser.psm1
Retrieves TraceLogging metadata from a file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 5 | |
| <# | |
| The things you find on Google searching for specific GUIDs... | |
| Known Keyword friendly names: | |
| "UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328" | |
| "UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664" | |
| "UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832" | |
| "UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648" |
sunnyc7
/ windows_hardening.cmd
Created
May 8, 2020 14:26
— forked from ricardojba/windows_hardening.cmd
A Windows hardening script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ::############################################################################################################### | |
| :: Credits and More info: https://gist.github.com/mackwage/08604751462126599d7e52f233490efe | |
| :: https://github.com/LOLBAS-Project/LOLBAS | |
| :: https://lolbas-project.github.io/ | |
| :: https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| :: https://github.com/cryps1s/DARKSURGEON/tree/master/configuration/configuration-scripts | |
| :: https://gist.github.com/alirobe/7f3b34ad89a159e6daa1#file-reclaimwindows10-ps1-L71 | |
| :: https://github.com/teusink/Home-Security-by-W10-Hardening | |
| :: | |
| ::############################################################################################################### |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Parser for chess games from Chess.com | |
| # Cleans everything between {} | |
| #ORIG:1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50} | |
| #CLEANED: 1.d4 e6 2.Nc3 Nf6 3.Bf4 d5 4.f3 a6 5.Qd2 Bb4 6.O-O-O c5 7.a3 Ba5 8.dxc5 Bc7 9.Bxc7 Qxc7 10.g4 Qxc5 11.h4 Qf2 12.g5 Nh5 13.Ne4 dxe4 14.Qd8# | |
| $game = '1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50}' | |
| $regex = '\{(.*?)\}' | |
| $cleanedgame = $txt -replace $regex, '' | |
| $cleanedgame |
sunnyc7
/ Get-InjectedThread.ps1
Created
May 6, 2020 03:52
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
sunnyc7
/ _Instructions_Reproduce.md
Created
April 29, 2020 11:17
GhostLoader - AppDomainManager - Injection - 攻壳机动队
sunnyc7
/ checkaslr.py
Created
April 20, 2020 18:16
— forked from wdormann/checkaslr.py
Check for running processes on Windows that have components that do not utilize ASLR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| Utility to check for processes running with non-ASLR-compatible components. | |
| Run with Administrative privileges to get visibility into all processes. | |
| (1a) psutil: https://pypi.org/project/psutil/ | |
| Installed via PIP | |
| -OR- | |
| (1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls |
sunnyc7
/ Get-BlockedPowershellHashInCIPolicy.ps1
Last active
April 15, 2020 08:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on a hint by @tiraniddo in chat today on Matt's Twitch Stream - https://www.twitch.tv/mattifestation | |
| # Context: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md | |
| # What does the script do?: | |
| # Get a list of blocked filenames from the hashes in Microsoft recommended block rules. | |
| # Result | |
| # Some strange filenames from hashes in VT output, for e.g.169339.ps1 | |
| # Some hashes do not exist in VT. |
sunnyc7
/ WDEG_CFA1.md
Created
April 3, 2020 04:44
Quick notes on WDEG (Windows Defender Exploit Guard) - CFA feature
- CFA - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders
- You have followed the CFA guide listed here - https://demo.wd.microsoft.com/
- Create a folder called C:\demo
- Configure CFA to block c:\demo
- Unsigned executables from writing to the folder
sunnyc7
/ DeviceGuard_Driver_Strict_Enforcement_policy.xml
Created
March 23, 2020 23:39
— forked from mattifestation/DeviceGuard_Driver_Strict_Enforcement_policy.xml
File-based driver enforcement Device Guard policy for my Surface Laptop w/ Windows 10 Enterprise.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> | |
| <Rule> |
sunnyc7
/ Sudoku.com AI Solver.py
Created
March 11, 2020 03:35
— forked from ahmedkhalf/Sudoku.com AI Solver.py
Solve sudoku.com using Selenium!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from selenium import webdriver | |
| from selenium.webdriver.common.by import By | |
| from selenium.webdriver.support.ui import WebDriverWait | |
| from selenium.webdriver.support import expected_conditions as EC | |
| import time | |
| # Make sure chrome driver is in your path, | |
| # full download totorial on official python selenium website. | |
| # Start broswer with sudoku.com |