ℹ️ This was duplicated to this blog for readability and reference
The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.
techris techris45
techris45
/ ejectusb.py
Created
December 26, 2024 23:22
— forked from gitcnd/ejectusb.py
Windows commandline to eject a USB drive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # From DOS commandline, run this as follows:- | |
| # python3 ejectusb.py | |
| # -or- create C:\windows\ejectusb.bat to do the above in fewer characters. | |
| # | |
| # From WSL bash, run it as follows:- | |
| # cmd.exe /c start python3 C:\\windows\\ejectusb.py | |
| # -or- create /usr/local/bin/ejectusb to do the above in fewer characters. |
techris45
/ Get-InjectedThread.ps1
Created
September 19, 2024 16:14
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
techris45
/ RMM-detection.md
Created
September 19, 2024 16:00
— forked from brokensound77/RMM-detection.md
Detection Engineering: RMM analysis
techris45
/ TaskManagerSecret.c
Created
August 30, 2023 07:26
— forked from antonioCoco/TaskManagerSecret.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| TaskManagerSecret | |
| Author: @splinter_code | |
| This is a very ugly POC for a very unreliable UAC bypass through some UI hacks. | |
| The core of this hack is stealing and using a token containing the UIAccess flag set. | |
| A trick described by James Forshaw, so all credits to him --> https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html | |
| From there it uses a task manager "feature" to run a new High IL cmd.exe. | |
| This has been developed only for fun and shouldn't be used due to its high unreliability. |
techris45
/ backup-servername.sh
Created
September 24, 2022 16:42
— forked from enoch85/backup-servername.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # This script is used on a QNAP TS-269 PRO. https://www.en0ch.se/qnap-and-rsync/ | |
| # | |
| # You have to change: | |
| # 1. $SHAREUSR | |
| # 2. $EXCLUDES (if you want o change the name of the file servername.excludes) | |
| # 3. $SOURCE & $DESTINATION | |
| # 4. user@yourserver.se for the mysqldump | |
| # 5. --password=SUPERSECRET |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import dbus | |
| import dbus.glib | |
| import gobject | |
| import subprocess | |
| def lock(): | |
| print "Screen saver turned on" |
techris45
/ keybase.md
Created
March 2, 2022 13:06
I hereby claim:
- I am techris45 on github.
- I am techris (https://keybase.io/techris) on keybase.
- I have a public key ASDa-ZGShtNKvqeDB9QFYR4bepQDXFOx3PK5QQQoAJ6vQAo
To claim this, I am signing this object:
techris45
/ how-to-copy-aws-rds-to-local.md
Created
December 7, 2021 04:36
— forked from syafiqfaiz/how-to-copy-aws-rds-to-local.md
How to copy production database on AWS RDS(postgresql) to local development database.
- Change your database RDS instance security group to allow your machine to access it.
- Add your ip to the security group to acces the instance via Postgres.
- Make a copy of the database using pg_dump
$ pg_dump -h <public dns> -U <my username> -f <name of dump file .sql> <name of my database>- you will be asked for postgressql password.
- a dump file(.sql) will be created
- Restore that dump file to your local database.
- but you might need to drop the database and create it first
$ psql -U <postgresql username> -d <database name> -f <dump file that you want to restore>
- the database is restored
techris45
/ postgres_queries_and_commands.sql
Created
December 7, 2021 04:36
— forked from rgreenjr/postgres_queries_and_commands.sql
Useful PostgreSQL Queries and Commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- show running queries (pre 9.2) | |
| SELECT procpid, age(clock_timestamp(), query_start), usename, current_query | |
| FROM pg_stat_activity | |
| WHERE current_query != '<IDLE>' AND current_query NOT ILIKE '%pg_stat_activity%' | |
| ORDER BY query_start desc; | |
| -- show running queries (9.2) | |
| SELECT pid, age(clock_timestamp(), query_start), usename, query | |
| FROM pg_stat_activity | |
| WHERE query != '<IDLE>' AND query NOT ILIKE '%pg_stat_activity%' |
techris45
/ windows_and_office_kms_setup.adoc
Created
December 2, 2021 03:33
— forked from jerodg/windows_and_office_kms_setup.adoc
Activate Windows and Office Using KMS Server
NewerOlder