Eric vector-sec
vector-sec
/ hid_ntevent_wmi_event_subscription
Created
August 4, 2016 04:35
An example of how to use permanent WMI event subscriptions to log that a keyboard/mouse was connected to the windows event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based off @mattifestation's example: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'HumanInterfaceDevice' | |
| Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA "Win32_PointingDevice" OR TargetInstance ISA "Win32_KeyBoard"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ |
vector-sec
/ duo_security_sha1hmac.vbs
Created
August 4, 2016 07:29
VBScript implementation of SHA1HMAC meeting Duo Security's specifications
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function ToString(rabyt,datatype) | |
| With CreateObject("MSXML2.DOMDocument") | |
| .LoadXML "<root />" | |
| .DocumentElement.DataType = datatype | |
| .DocumentElement.nodeTypedValue = rabyt | |
| ToString = Replace(.DocumentElement.text, vbLf, "") | |
| End With | |
| End Function | |
| Function ToSHA1HMAC(sTextToHash, sSharedSecretKey) |
vector-sec
/ duo_auth_api.vbs
Created
August 5, 2016 05:00
VBscript for making a GET request to Duo's Auth API
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function ToString(rabyt,datatype) | |
| With CreateObject("MSXML2.DOMDocument") | |
| .LoadXML "<root />" | |
| .DocumentElement.DataType = datatype | |
| .DocumentElement.nodeTypedValue = rabyt | |
| ToString = Replace(.DocumentElement.text, vbLf, "") | |
| End With | |
| End Function | |
| Function ToSHA1HMAC(sTextToHash, sSharedSecretKey) |
vector-sec
/ Modified_Bloodhound.ps1
Created
August 10, 2016 17:23
This is a modified version of Bloodhound.ps1, a part of https://github.com/adaptivethreat/BloodHound/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 2 | |
| <# | |
| PowerSploit File: PowerView.ps1 | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
vector-sec
/ Modified_Bloodhound.ps1
Created
August 10, 2016 17:24
This is a modified version of Bloodhound.ps1, a part of https://github.com/adaptivethreat/BloodHound/ The modification is simply adding a GroupName paramter to Get-BloodhoundData to use in conjunction with -CollectionMethod Group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 2 | |
| <# | |
| PowerSploit File: PowerView.ps1 | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
vector-sec
/ keybase.io
Created
December 6, 2016 16:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am vector-sec on github. | |
| * I am vector_sec (https://keybase.io/vector_sec) on keybase. | |
| * I have a public key whose fingerprint is 374D C736 0AC6 1C4A 8605 73C4 39B3 4B9B AED1 83D8 | |
| To claim this, I am signing this object: |
vector-sec
/ EmpireCOMPosh.cs
Created
March 28, 2017 15:25
Allows PowerShell Commands To Execute via JavaScript via COM. PowerShell without PowerShell.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; |
vector-sec
/ Get-InjectedThread.ps1
Created
May 10, 2017 15:38
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
vector-sec
/ Create-LNK.ps1
Created
June 30, 2017 15:59
— forked from enigma0x3/Create-LNK.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Create-LNKPayload{ | |
| <# | |
| .SYNOPSIS | |
| Generates a malicous LNK file | |
| .PARAMETER LNKName | |
| Name of the LNK file you want to create. |
vector-sec
/ Get-Token.ps1
Created
August 10, 2017 17:51
PowerShell script to enumerate all Process and Thread tokens.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Token | |
| { | |
| foreach($proc in (Get-Process)) | |
| { | |
| if($proc.Id -ne 0 -and $proc.Id -ne 4) | |
| { | |
| try | |
| { | |
| $hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION | |
| } |
OlderNewer