Skip to content

Instantly share code, notes, and snippets.

View thesubtlety's full-sized avatar

Noah thesubtlety

43 followers · 52 following
View GitHub Profile
@capnspacehook
capnspacehook / invokeInMemLinux.go
Created February 21, 2019 13:37
Executes a binary or file in memory on a Linux system. Uses the memfd_create(2) syscall. Credits and idea from: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
package main
import (
"io/ioutil"
"os"
"os/exec"
"strconv"
"syscall"
@n0ncetonic
n0ncetonic / pathogen.sh
Created April 3, 2019 02:03
Command Injection via Homebrew $PATH trickery
#!/bin/bash
# Command Injection via Homebrew $PATH trickery
# n0ncetonic
# Blacksun Research Labs 2019
# https://github.com/n0ncetonic
# https://github.com/BlacksunLabs
banner=$(/bin/cat <<EOF
@Neo23x0
Neo23x0 / iddqd.yar
Last active January 18, 2024 13:04
IDDQD - Godmode YARA Rule
/*
WARNING:
the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/
/*
_____ __ __ ___ __
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@ropnop
ropnop / docker_aliases.sh
Created July 18, 2019 02:16
Docker aliases
function dockershell() {
docker run --rm -i -t --entrypoint=/bin/bash "$@"
}
function dockershellsh() {
docker run --rm -i -t --entrypoint=/bin/sh "$@"
}
function dockershellhere() {
dirname=${PWD##*/}
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active May 23, 2024 08:25
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" &lt;. Often used by Emotet (UTF-16)
@khr0x40sh
khr0x40sh / Get-VBACHRObfuscatedString.ps1
Created November 19, 2019 15:36
Takes a string and applies CHR(ascii int) & for each character in string
Param([string]$string = "C:\windows\syswow64\windowspowershell\v1.0\powershell.exe -exec Bypass -nop ping 127.0.0.1"
);
$result = ""
$strA = $string.ToCharArray()
for($i = 0; $i -lt $strA.Length; $i++)
{
$x = [byte]$strA[$i]
$result += "Chr (" + $x.ToString() + ") & "
}
@thomaspatzke
thomaspatzke / mitre_attack_oneliners.sh
Created December 17, 2019 00:10
MITRE ATT&CK oneliners
# Requires: curl, jq
# Download MITRE ATT&CK data from GitHub repository
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
# List all ATT&CK object types
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json
# List all ATT&CK technique identifiers
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
@monoxgas
monoxgas / main.cpp
Created February 12, 2020 19:27
Adapative DLL Hijacking - Stability Hooking
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
DWORD WINAPI Thread(LPVOID lpParam) {
// Insert evil stuff
ExitProcess(0);
@monoxgas
monoxgas / main.cpp
Created February 12, 2020 22:19
Adaptive DLL Hijacking - Patching LoadLibrary Return
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info