Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
filter { | |
json { | |
# Do the initial JSON parse | |
source => "message" | |
target => "osquery" | |
} | |
mutate { | |
# Remove the \\x0A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM alpine:latest | |
RUN apk add --no-cache postfix postfix-pcre rsyslog | |
RUN postconf -e "myhostname=localhost" \ | |
&& postconf -e "mynetworks_style=host" \ | |
&& postconf -e "mail_spool_directory=/var/mail/" \ | |
&& postconf -e "virtual_alias_maps=pcre:/etc/postfix/virtual" \ | |
&& echo "/.*/ root" > /etc/postfix/virtual \ | |
&& postmap /etc/postfix/virtual \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$EventFilterArgs = @{ | |
EventNamespace = 'root/cimv2' | |
Name = 'PowerShellProcessStarted' | |
Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"' | |
QueryLanguage = 'WQL' | |
} | |
$Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs | |
$CommandLineConsumerArgs = @{ |
The purpose of this document is to make recommendations on how to browse in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.
I welcome contributions and comments on the information contained. Please see the How to Contribute section for information on contributing your own knowledge.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Please set the ROOT to the folder your nxlog was installed into, | |
## otherwise it will not start. | |
#define ROOT C:\Program Files\nxlog | |
define ROOT C:\Program Files (x86)\nxlog | |
define ROOT_STRING C:\Program Files (x86)\\nxlog | |
Moduledir %ROOT%\modules | |
CacheDir %ROOT%\data | |
Pidfile %ROOT%\data\nxlog.pid |