mepher
ChoiSG
/ rsrcDecryptAssembly.nim
Last active
September 19, 2022 17:31
embed .net, decrypt, load and execute in nim poc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import nimcrypto | |
| import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy | |
| #[ | |
| All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t | |
| nimble install winim nimcrypto zippy | |
| nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim | |
| slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time. |
jfmaes
/ DInjectQueuerAPC.cs
Created
November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
jeffmcjunkin
/ gist:d5fb8dbf15cbd5d37a77fafccda4d969
Created
October 6, 2020 14:53
Retrieving SSSD plain text passwords (krb5_store_password_if_offline)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for who ever this interest, if you enable krb5_store_password_if_offline in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring | |
| to dump the clear text password you can do : | |
| ``` | |
| gdb -p <PID_OF_SSSD> | |
| call system("keyctl show > /tmp/output") | |
| ``` | |
| From the /tmp/output locate the key_id for the user you want | |
| Example of an output is : |
jhaddix
/ content_discovery_all.txt
Created
May 26, 2018 11:51
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ` | |
| ~/ | |
| ~ | |
| ×™× | |
| ___ | |
| __ | |
| _ | |
| --- |
jaradc
/ entropy_calculation_in_python.py
Last active
November 18, 2024 16:15
Four different ways to calculate entropy in Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import numpy as np | |
| from scipy.stats import entropy | |
| from math import log, e | |
| import pandas as pd | |
| import timeit | |
| def entropy1(labels, base=None): | |
| value,counts = np.unique(labels, return_counts=True) | |
| return entropy(counts, base=base) |
enigma0x3
/ Create-LNK.ps1
Created
January 5, 2017 15:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Create-LNKPayload{ | |
| <# | |
| .SYNOPSIS | |
| Generates a malicous LNK file | |
| .PARAMETER LNKName | |
| Name of the LNK file you want to create. |
mattifestation
/ Example_WMI_Detection_EventLogAlert.ps1
Created
January 14, 2016 21:53
An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'LateralMovementEvent' | |
| Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' |