davehull

Lecture 1: Introduction to Research — [📝Lecture Notebooks] [▶️Video]
Lecture 2: Introduction to Python — [📝Lecture Notebooks] [▶️Video]
Lecture 3: Introduction to NumPy — [📝Lecture Notebooks] [▶️Video]
Lecture 4: Introduction to pandas — [📝Lecture Notebooks] [▶️Video]
Lecture 5: Plotting Data — [📝Lecture Notebooks] [[▶️Vide

davehull

#!/usr/bin/env python2
'''
Dump some PE file features from memory images.

author: Willi Ballenthin
email: [email protected]
website: https://gist.github.com/williballenthin/cbc102d561e2eb647f7aec3c3753ba55
'''
import os
import sys

davehull

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

davehull

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$False,Position=0)]
        [String]$TargetHostname,
    [Parameter(Mandatory=$False,Position=1)]
        [String]$HashAlgorithm
)

## We will handle errors via Try/Catch
$ErrorActionPreference = 'Stop'

davehull

function Get-ClrReflection
{
    <# 
    .SYNOPSIS 
    
    Detects memory-only CLR (.NET) modules
     
    Author: Joe Desimone (@dez_) 
    License: BSD 3-Clause 
    

davehull

function ConvertTo-DelimiterSeparatedValues {
<#
  This function is like ConverTo-CSV but with
  support for multi-character delimiters. The
  function will return noteproperty names as
  a header row.
#>
param(
  [Parameter(Mandatory=$True,ValueFromPipeLine=$True,Position=0)]
    [pscustomobject[]]$arrObject,

davehull

I've been playing around with Matasano Crypto Challenges for my own edification. 
It's been fun and insightful. I've learned a number of new things and enjoyed 
doing so. If you're a mediocre programmer like me and have an interest in crypto,
I highly recommend checking out the challenges -- http://cryptopals.com/.

A few of the exercises in set 1 have you playing around with XOR for encryption. 
You create a script that can brute force single key decryption and if you're 
ambitious you'll write a function that will examine letter frequencies of the 
output and score the results, returning the one that is most likely to be 
English. I wrote multiple scoring functions for this, one that counts English 

davehull

<#
.SYNOPSIS
XOR-Encrypt.ps1 takes a string of text to be encrypted and a key. Each
byte of the input string will be XOR'd with a byte from the key. If 
the key is not as long as the input string, the key will repeat.
.PARAMETER String
A required parameter, the string to be encoded.
.PARAMETER key
A required parameter, the key that the string will be XOR'd with.
.EXAMPLE

davehull

<#
.SYNOPSIS
XOR-Decrypt.ps1 takes a hexadecimal encoded string and uses the English
alpha and numeric characters as a key space, XORing the string with 
each single character and returning a XOR decrypted string.
.PARAMETER hexString
A required argument -- the hexadecimal encoded string to be decoded.
.PARAMETER AllResults
An optional switch that causes the script to return the all decrypted 
objects, by default the script will only return the object with the 

davehull

<#
.SYNOPSIS
Resolves many Windows GUIDs to human friendly values.

.DESCRIPTION
Resolve-WindowsGUID.ps1 takes a GUID from a Windows system and attempts
to return a human friendly value from either a static list or from a 
dynamically generated list of LogProvider GUIDs. There are undoubtedly 
other GUIDs in use throughout Windows that will not fall into either of 
these sets. If you encounter a GUID that you can't resolve via this