Skip to content

Instantly share code, notes, and snippets.

@mattifestation
mattifestation / EnableAMSILogging.ps1
Last active October 29, 2022 14:28
Enables AMSI logging to the AMSI/Operational event log
$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"
New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41
@rootkea
rootkea / spectre.c
Created January 4, 2018 15:36
PoC from Spectre Attacks: Exploiting Speculative Execution (https://spectreattack.com/spectre.pdf)
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif
# All scripts
```
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
```
# General scripts
```
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
```
# Microsoft access
```
@gfoss
gfoss / auto-hydra.sh
Created August 3, 2017 03:16
Simple Masscan + Hydra wrapper used to perform automated scans by group (organization, unit, team, etc) and generate a report on the results.
#!/bin/bash
#
# @heinzarelli
# greg . foss [at] logrhythm . com
# v0.1 - May 2017
#
function usage {
echo ""
@gfoss
gfoss / Extract-WiFi-Creds.ps1
Last active October 21, 2024 17:03
Simple script to extract locally-stored Wi-Fi Credentials
#====================================#
# Extract Wi-Fi Credentials #
# greg . foss @ owasp . org #
# v0.1 -- July, 2017 #
#====================================#
# Licensed under the MIT License
<#

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@leoloobeek
leoloobeek / EventVwrBypass.cs
Last active June 6, 2023 08:50
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active October 1, 2024 18:37
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@binkybear
binkybear / mubix-lock.sh
Last active November 3, 2021 22:56
mubix-lock.sh
#!/bin/bash
#
# Attack created by Mubix. For more information see:
# https://room362.com/post/2016/snagging-creds-from-locked-machines
# Modified for Nethunter by Binkybear
#
# ================== #
# Check for root
# ================== #
@MichaelPote
MichaelPote / himawari.ps1
Created February 3, 2016 19:11
Windows Powershell Script to download the latest image from the Himawari-8 satelite, combine the tiles into a single image, convert to jpg and then set as the desktop background.
#
# Himawari-8 Downloader
#
#
#
# This script will scrape the latest image from the Himawari-8 satellite, recombining the tiled image,
# converting it to a JPG which is saved in My Pictures\Himawari\ and then set as the desktop background.
#
# http://himawari8.nict.go.jp/himawari8-image.htm
#