Skip to content

Instantly share code, notes, and snippets.

@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active May 23, 2024 08:25
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)
@defensivedepth
defensivedepth / logstash-osquery-shipped-WEL.conf
Created December 21, 2018 17:14
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
}
mutate {
# Remove the \\x0A
@adepasquale
adepasquale / Dockerfile.postfix-catchall
Last active February 22, 2021 08:43
Dockerfile for Postfix server with catch-all configuration
FROM alpine:latest
RUN apk add --no-cache postfix postfix-pcre rsyslog
RUN postconf -e "myhostname=localhost" \
&& postconf -e "mynetworks_style=host" \
&& postconf -e "mail_spool_directory=/var/mail/" \
&& postconf -e "virtual_alias_maps=pcre:/etc/postfix/virtual" \
&& echo "/.*/ root" > /etc/postfix/virtual \
&& postmap /etc/postfix/virtual \
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active April 22, 2024 19:09
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@mattifestation
mattifestation / autodump_powershell_process.ps1
Last active September 16, 2019 04:58
Automatically capture a full PowerShell memory dump upon any PowerShell host process termination
$EventFilterArgs = @{
EventNamespace = 'root/cimv2'
Name = 'PowerShellProcessStarted'
Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"'
QueryLanguage = 'WQL'
}
$Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs
$CommandLineConsumerArgs = @{
@atcuno
atcuno / gist:3425484ac5cce5298932
Last active March 25, 2024 13:55
HowTo: Privacy & Security Conscious Browsing

The purpose of this document is to make recommendations on how to browse in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.

I welcome contributions and comments on the information contained. Please see the How to Contribute section for information on contributing your own knowledge.

Table of Contents

@mrlesmithjr
mrlesmithjr / nxlog.conf
Last active November 7, 2019 16:59
Windows nxlog.conf for Logstash
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid