Skip to content

Instantly share code, notes, and snippets.

View Und3rf10w's full-sized avatar

Und3rf10w

668 followers · 66 following
View GitHub Profile
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active April 24, 2025 15:06
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@dfirfpi
dfirfpi / uapc_inject.py
Created March 17, 2017 22:38
QueueUserAPC injection Python demo test
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2017, Francesco "dfirfpi" Picasso <[email protected]>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
@001SPARTaN
001SPARTaN / dcom_shellexecute.cna
Last active March 7, 2021 16:25
# Lateral movement techniques based on research by enigma0x3 (Matt Nelson)
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
# Beacon implementation based on comexec.cna by Raphael Mudge
# https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2
# Register alias
beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)",
"Usage: dcom_shellexecute [target] [listener]\n\n" .
"Spawn new Beacon on a target via DCOM ShellExecute Object.");
@rsmudge
rsmudge / comexec.cna
Created January 6, 2017 22:06
Lateral Movement with the MMC20.Application COM Object (Aggressor Script Alias)
# Lateral Movement alias
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
"Synopsis: com-exec [target] [listener]\n\n" .
"Run a payload on a target via DCOM MMC20.Application Object");
# here's our alias to collect our arguments
alias com-exec {
@mattifestation
mattifestation / ELAM.ps1
Last active July 27, 2022 09:37
ELAM driver approved anti-malware signer parser
function Get-ElamCertInfo {
<#
.SYNOPSIS
Extract early launch anti-malware certificate information from an ELAM driver.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
.DESCRIPTION
@steverice
steverice / swagger.json
Last active January 16, 2025 21:38
PagerDuty API Swagger
{
"swagger": "2.0",
"info": {
"title": "PagerDuty API",
"description": "The PagerDuty API provides programmatic access to entities within a PagerDuty account. It is designed around [RESTful principles](https://en.wikipedia.org/wiki/Representational_state_transfer) with a path structure based on resources and their relationships.\n\nAll requests and responses are serialized in [JSON](https://en.wikipedia.org/wiki/JSON), including error responses.\n\nSchema are designed to be reusable across requests and across endpoints.\n\nMore sophisticated API clients should treat PagerDuty resources as unique objects keyed by the `id` field that can be used in any API request involving resources of that type.\n\nEvery resource contains a `type` field that identifies the schema it uses.\n\n## Rate limiting\n\nEach account and authentication mechanism is limited to the number of API requests it can make every minute. API requests that exceed the API rate limit will return an [HTTP status code](error_codes.html#http_res
@binkybear
binkybear / mubix-lock.sh
Last active November 3, 2021 22:56
mubix-lock.sh
#!/bin/bash
#
# Attack created by Mubix. For more information see:
# https://room362.com/post/2016/snagging-creds-from-locked-machines
# Modified for Nethunter by Binkybear
#
# ================== #
# Check for root
# ================== #
@rsmudge
rsmudge / oneliner.cna
Created July 7, 2016 21:07
How to host a large script via Beacon and grab it with a one-liner that connects to localhost.
# host a PowerShell script on a one-off web server via Beacon.
#
# Why? Generate one-liners for length constrained command execution opportunities
#
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
# if there's interest in this capability, I can build an official API for it.
import common.*;
import beacon.*;
@XMPPwocky
XMPPwocky / poc.py
Created April 20, 2016 23:36
import dpkt, socket, struct, binascii, sys, time, random
if len(sys.argv) < 2:
print "Usage: poc.py pcapfile"
print "PCAP file must contain only the UDP packets of a Steam connection."
sys.exit(1)
capture = dpkt.pcap.Reader(open(sys.argv[1]))
cap_messages_out = []
cap_messages_in = []
@mattifestation
mattifestation / sample_drive_infector.ps1
Created April 2, 2016 18:18
A PoC drive infector using permanent WMI event subscriptions. I wrote this to demonstrate passing __EventFilter arguments to a CommandLineEventConsumer
$EventFilterArgs = @{
EventNamespace = 'root/cimv2'
Name = 'DriveChanged'
Query = 'SELECT * FROM Win32_VolumeChangeEvent'
QueryLanguage = 'WQL'
}
$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs
$CommandLineConsumerArgs = @{