Skip to content

Instantly share code, notes, and snippets.

View gaelicWizard's full-sized avatar

John D Pell gaelicWizard

21 followers · 30 following
View GitHub Profile
@ttscoff
ttscoff / logr.bash
Last active November 28, 2024 18:37
Bash logging utility that simplifies use of logger command
#!/bin/bash
# Logging utility that simplifies user of bash logger command
# # First source the script
# source ~/scripts/logr.bash
# # Start the logger, generates log name from scripts filename
# logr start
# # or define your own
# logr start LOG_NAME
@wdormann
wdormann / disable_ddeauto.reg
Last active October 1, 2024 17:10
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
@N3mes1s
N3mes1s / MsWinZonesCacheCounterMutexA
Created May 12, 2017 21:49
$createdNew = $False;
$mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA", [ref]$createdNew);
@Neo23x0
Neo23x0 / wannacry-vaccine.reg
Last active March 15, 2021 19:49
WannaCrypt Ransomware Immunisation
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
"Debugger"="taskkill /F /IM "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
"Debugger"="taskkill /F /IM "
@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active May 14, 2025 19:15 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@mattifestation
mattifestation / CIPolicyParser.ps1
Last active July 17, 2025 10:33
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
# Ensure System.Security assembly is loaded.
Add-Type -AssemblyName System.Security
function ConvertTo-CIPolicy {
<#
.SYNOPSIS
Converts a binary file that contains a Code Integrity policy into XML format.
Author: Matthew Graeber (@mattifestation)
@HaleTom
HaleTom / print256colours.sh
Last active May 23, 2025 15:45
Print a 256-colour test pattern in the terminal
#!/bin/bash
# Tom Hale, 2016. MIT Licence.
# Print out 256 colours, with each number printed in its corresponding colour
# See http://askubuntu.com/questions/821157/print-a-256-color-test-pattern-in-the-terminal/821163#821163
set -eu # Fail on errors or undeclared variables
printable_colours=256
@janegilring
janegilring / Install-SysinternalsSuiteNano.ps1
Created July 5, 2016 19:47
This script will download the Nano Server version of the Sysinternals Suite and extract it to the specified target directory.
#requires -Version 5
<#
NAME: Install-SysinternalsSuiteNano.ps1
AUTHOR: Jan Egil Ring (@JanEgilRing)
COMMENT: This script will download the Nano Server version of the Sysinternals Suite and extract it to the specified target directory.
@mattifestation
mattifestation / wmi_provider_association.ps1
Last active August 16, 2022 05:14
Enumerates WMI providers, the DLLs that back the provider, and the classes hosted by the provider.
<#
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
#>
function Get-WmiNamespace {
[OutputType([String])]
Param (
[String]
[ValidateNotNullOrEmpty()]
@tehnoir
tehnoir / set_project_profiles.sh
Created April 13, 2016 19:19
Update Xcode project's build settings to point to current provisioning profiles.
#!/bin/bash
##############################################################################################################
### 1. Name your profiles with the convention of ProjectName_TargetName_ConfigurationName.mobileprovision ###
### 2. Create a directory called CodeSign in your project directory ###
### 3. Move all your project's provisioning profiles into the CodeSign directory ###
### ###
### Running this script will update your project file to point to the correct UUIDs of each corresponding ###
### profile in your CodeSign directory. ###
##############################################################################################################