Researched by Robert Quattlebaum darco@deepdarc.com.
Last updated 2020-02-03.
ajpc500
/ log-forwarding-with-etw.ps1
Last active
June 29, 2023 01:31
Quick-and-dirty PowerShell script to install Sysmon (SwiftOnSecurity config), SilkService and Winlogbeat, and forward logs to HELK based on IP set in environment variable "HELK_IP" (see Line 224).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $wc = New-Object System.Net.WebClient | |
| if (!(Test-Path "C:\Tools")) { | |
| New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
| } | |
| # SYSMON | |
| # Download Sysmon | |
| $SysmonDirectory = "C:\Tools\Sysmon\" |
0xtornado
/ 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
Created
April 30, 2020 14:11
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}] |
TarlogicSecurity
/ kerberos_attacks_cheatsheet.md
Created
May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
0xhexmex
/ Get-KerberosKeytab.ps1
Created
February 14, 2019 21:50
— forked from raandree/Get-KerberosKeytab.ps1
Parses Kerberos Keytab files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param( | |
| [Parameter(Mandatory)] | |
| [string]$Path | |
| ) | |
| #Created by Pierre.Audonnet@microsoft.com | |
| # | |
| #Got keytab structure from http://www.ioplex.com/utilities/keytab.txt | |
| # | |
| # keytab { |
lxe
/ goes16-rtlsdr.md
Last active
June 6, 2024 04:19
Receive GOES-16 and GOES-17 Images with a Raspberry Pi and RTL-SDR dongle
Also see the original Pieter Noordhuis's guide
You need:
- Raspberry Pi Model B (or B+) with a MicroSD Card $35-40
- An RTL-SDR dongle:
dirkjanm
/ getloggedon.py
Created
September 15, 2018 19:27
Simple script that uses impacket to enumerate logged on users as admin using NetrWkstaUserEnum and impacket
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Copyright (c) 2012-2018 CORE Security Technologies | |
| # | |
| # This software is provided under under a slightly modified version | |
| # of the Apache Software License. See the accompanying LICENSE file | |
| # for more information. | |
| # | |
| # Gets logged on users via NetrWkstaUserEnum (requires admin on targets). | |
| # Mostly adapted from netview.py and lookupsid.py | |
| # |
maldevel
/ decryptWinSCPCreds.cpp
Created
August 26, 2018 10:41
PassCat Decrypt WinSCP passwords snippet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //https://github.com/twelvesec/passcat | |
| //GNU General Public License v3.0 | |
| //@maldevel | |
| //... | |
| int libwinscp::decrypt_char(char *hash, char **newhash, size_t *size) { | |
| unsigned char hex_flag = 0xA3; | |
| char charset[17] = "0123456789ABCDEF"; | |
| int unpack1, unpack2, result = 0; |
bohops
/ RDP_Eavesdropping_Hijacking
Last active
December 31, 2022 05:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RDP Eavesdropping and Hijacking | |
| ******************************* | |
| I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings | |
| that is not very new... | |
| =========== | |
| Inspiration | |
| =========== | |
| As you may already know... |
curi0usJack
/ .htaccess
Last active
June 6, 2024 18:04
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
| # | |
| # Note this version requires Apache 2.4+ | |
| # | |
| # Save this file into something like /etc/apache2/redirect.rules. | |
| # Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom | |
| # | |
| # Include /etc/apache2/redirect.rules | |
| # |
NewerOlder