lctrcl lctrcl
lctrcl
/ strings.py
Created
April 7, 2016 12:54
— forked from williballenthin/strings.py
Extract ASCII and Unicode strings using Python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from collections import namedtuple | |
| ASCII_BYTE = " !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t" | |
| String = namedtuple("String", ["s", "offset"]) | |
lctrcl
/ commands.sh
Created
April 11, 2016 09:07
— forked from williballenthin/commands.sh
Install IDA Pro under Wine in Docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # build wine Docker image | |
| pushd wine; docker build -t wine .; popd | |
| # build x11 Docker image for IDA | |
| pushd ida; docker build -t wine/ida .; popd | |
| # demonstrate x11 forwarding works | |
| run -ti --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix wine/ida xclock | |
| # interactive shell in container |
lctrcl
/ steal_1password_creds.rb
Created
May 23, 2016 20:23
— forked from claudijd/steal_1password_creds.rb
Steal 1Password credentials from browser auto-fill PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Path setting slight of hand: | |
| $: << File.expand_path("../../lib", __FILE__) | |
| require 'packetfu' | |
| require 'json' | |
| capture_thread = Thread.new do | |
| cap = PacketFu::Capture.new(:iface => 'lo0', :start => true) | |
| cap.stream.each do |p| | |
| pkt = PacketFu::Packet.parse p | |
| if pkt.payload.include?("executeFillScript") |
lctrcl
/ keystrokes.d
Created
May 30, 2016 17:16
— forked from palmerabollo/keystrokes.d
dtrace keystrokes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/dtrace -s | |
| syscall::read:entry | |
| /execname == "sh" || execname == "ksh" || execname == "csh" || | |
| execname == "tcsh" || execname == "zsh" || execname == "bash"/ | |
| { | |
| self->start = timestamp; | |
| self->buf = arg1; | |
| self->len = arg2; | |
| } |
lctrcl
/ osxlockdown.conf
Created
July 26, 2016 13:40
— forked from arubdesu/osxlockdown.conf
query pack (v1) for https://github.com/SummitRoute/osxlockdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "packs": { | |
| "osxlockdown": { | |
| "platform": "darwin", | |
| "version": ".1", | |
| "queries": { | |
| "OS Updates": { | |
| "query": "select value from preferences where path = '/Library/Preferences/com.apple.SoftwareUpdate.plist' and key = 'LastSuccessfulDate';", | |
| "interval": "86400", | |
| "description": "Verify all Apple OS-bundled software has checked it's configured server recently", |
lctrcl
/ autodump_powershell_process.ps1
Created
August 9, 2016 07:45
— forked from mattifestation/autodump_powershell_process.ps1
Automatically capture a full PowerShell memory dump upon any PowerShell host process termination
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'PowerShellProcessStarted' | |
| Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |
lctrcl
/ PowerShell Command Line Logging
Created
March 1, 2017 11:03
— forked from gfoss/PowerShell Command Line Logging
Detect and alert on nefarious PowerShell command line activity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell Audit Logging for LogRhythm SIEM - 2015 | |
| # For detecting dangerous PowerShell Commands/Functions | |
| Log Source Type: | |
| MS Event Log for Win7/Win8/2008/2012 - PowerShell | |
| Add this file to your PowerShell directory to enable verbose command line audit logging | |
| profile.ps1 | |
| $LogCommandHealthEvent = $true | |
| $LogCommandLifeCycleEvent = $true |
lctrcl
/ PoshNaughtyList
Created
June 17, 2017 06:18
— forked from MatthewDemaske/PoshNaughtyList
Powershell NaughtyWord List
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *ExecuteShellCommand* | |
| *GetDelegateForFunctionPointer* | |
| *GetModuleHandle* | |
| *GetProcAddress* | |
| *Groups.User.Properties.cpassword* | |
| *IMAGE_NT_OPTIONAL_HDR64_MAGIC* | |
| *InteropServices.HandleRef* | |
| *kernel32.dll* | |
| *LSA_UNICODE_STRING* | |
| *Management.Automation.RuntimeException* |
lctrcl
/ CorruptCLRGlobal.ps1
Created
December 8, 2018 20:49
— forked from mattifestation/CorruptCLRGlobal.ps1
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Subvert-CLRAntiMalware { | |
| <# | |
| .SYNOPSIS | |
| A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
| .DESCRIPTION | |
| clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |
lctrcl
/ InterceptorThing.ps1
Created
December 20, 2018 09:03
Interceptor - Normal User No Admin Required.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| This script demonstrates the ability to capture and tamper with Web sessions. | |
| For secure sessions, this is done by dynamically writing certificates to match the requested domain. | |
| This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack. | |
| Function: Interceptor | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
OlderNewer