This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<-- x86 --> | |
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
<!- x64 --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
<Target Name="Hello"> | |
<ClassExample /> | |
</Target> | |
<UsingTask |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
import os | |
import configparser | |
import csv | |
import sys | |
from os.path import exists | |
import requests | |
#Console Output coloring. Makes knowing if you have any errors/ warnings easier to identify | |
err_Col = '\033[91m' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#requires -version 2 | |
<# | |
PowerSploit File: PowerView.ps1 | |
Author: Will Schroeder (@harmj0y) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Sysmon Office MSDT | |
id: c95ed569-5da4-48b3-9698-5e429964556c | |
description: Detects MSDT Exploit Attempts | |
status: experimental | |
author: kevthehermit | |
date: 2022/05/30 | |
references: | |
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon | |
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2 | |
logsource: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Based off @mattifestation's example: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
# Define the signature - i.e. __EventFilter | |
$EventFilterArgs = @{ | |
EventNamespace = 'root/cimv2' | |
Name = 'HumanInterfaceDevice' | |
Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA "Win32_PointingDevice" OR TargetInstance ISA "Win32_KeyBoard"' | |
QueryLanguage = 'WQL' | |
} | |
$InstanceArgs = @{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Bandit" | |
progid="Bandit" | |
version="1.00" | |
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Token | |
{ | |
foreach($proc in (Get-Process)) | |
{ | |
if($proc.Id -ne 0 -and $proc.Id -ne 4) | |
{ | |
try | |
{ | |
$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION | |
} |
OlderNewer