byinarie
/ DInjectQueuerAPC.cs
Created
November 12, 2023 04:41
— forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| When you run this code it will generate the following output: | |
| h%s%s%s%s%s%s%s%s%s%s | |
| he%s%s%s%s%s%s%s%s%s | |
| hel%s%s%s%s%s%s%s%s | |
| hell%s%s%s%s%s%s%s | |
| hello%s%s%s%s%s%s | |
| hello %s%s%s%s%s | |
| hello w%s%s%s%s | |
| hello wo%s%s%s |
byinarie
/ Shhhavoc.py
Created
November 1, 2023 20:35
— forked from jakobfriedl/Shhhavoc.py
Shhhloader integration for Havoc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- Coding: UTF-8 -*- | |
| # Author: Jakob Friedl | |
| # Created on: Mon, 16. Oct 2023 | |
| # Description: Shhhloader support for Havoc C2 framework | |
| # Usage: Load this script into Havoc: Scripts -> Scripts Manager -> Load to create Shhhloader Tab | |
| import os, sys, subprocess | |
| import threading | |
| import havoc |
byinarie
/ shellcode_loader.py
Created
October 20, 2023 23:51
— forked from m8sec/shellcode_loader.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: @m8sec | |
| # Description: Injects shellcode into the current process. | |
| import sys | |
| import ctypes | |
| import hashlib | |
| from time import sleep | |
| import ctypes.wintypes as wt | |
| from base64 import b64decode | |
| from Crypto.Cipher import AES |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "timestamp": "2023-10-04T13:55:26.433725+0000", // The date and time the alert was generated, in ISO 8601 format with microsecond precision. | |
| "event_type": "alert", // The type of event being logged; here it's an "alert" indicating a detection event. | |
| "src_ip": "192.168.1.101", // The source IP address where the traffic originated. | |
| "src_port": 49875, // The source port of the traffic. | |
| "dest_ip": "10.0.0.2", // The destination IP address where the traffic is being sent. | |
| "dest_port": 80, // The destination port of the traffic. | |
| "proto": "TCP", // The network protocol used; TCP in this example. | |
| "alert": { // The section containing details about the alert. |
byinarie
/ gist:3eab0d87972fcf36323272cf20758def
Created
September 20, 2023 17:02
example docker-compose using opensearch, praeco, and elastalert2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: '3' | |
| services: | |
| opensearch-node1: | |
| image: opensearchproject/opensearch:latest | |
| container_name: opensearch-node1 | |
| environment: | |
| - cluster.name=opensearch-cluster | |
| - node.name=opensearch-node1 | |
| - discovery.seed_hosts=opensearch-node2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $REGISTRY_KEYS = @( | |
| 'SOFTWARE\Policies\Microsoft\Windows Defender', | |
| 'SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection', | |
| 'SOFTWARE\Policies\Microsoft\Windows Defender\Reporting', | |
| 'SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet' | |
| ) | |
| $VALUES = @( | |
| 'DisableAntiSpyware', | |
| 'DisableAntiVirus', |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import json | |
| import base64 | |
| import sqlite3 | |
| import win32crypt | |
| from Crypto.Cipher import AES | |
| import shutil | |
| import click | |
byinarie
/ gist:9b21ffa505758c232444be9a8525a08f
Created
September 14, 2023 21:49
— forked from BushidoUK/gist:20b81335c6729dc8e0b5997ca83fa35f
BlackCat/ALPHV - MGM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Statement on MGM Resorts International: Setting the record straight | |
| 9/14/2023, 7:46:49 PM | |
| We have made multiple attempts to reach out to MGM Resorts International, "MGM". As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight. | |
| No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams. | |
| MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan. | |
| On Sunday night, MGM implement |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| References | |
| https://splunkbase.splunk.com/apps | |
| https://docs.splunk.com/Documentation | |
| https://docs.splunk.com/Documentation/SCS/current/SearchReference/Introduction | |
| https://www.splunk.com/en_us/blog/security.html | |
| https://www.splunk.com/en_us/blog/security/threat-hunting-sysmon-event-codes.html | |
| Comparison operators (=, !=, <, >, <=, >=) |
NewerOlder