Matthew Green mgreen27
pedramamini
/ XProtect.yara
Created
October 19, 2017 20:18
Apple OSX built in file defense is powered by YARA: /System/Library/CoreServices/XProtect.bundle/Contents/Resources
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "hash" | |
| private rule Macho | |
| { | |
| meta: | |
| description = "private rule to match Mach-O binaries" | |
| condition: | |
| uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca | |
| } |
williballenthin
/ auto_shellcode_hashes.py
Last active
November 5, 2023 22:12
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/EaHLv3yy7nGnh7mfHQ5DVy1LJ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
netbiosX
/ Shellcode.cs
Created
June 6, 2017 00:22
C# file that contains shellcode and bypasses AppLocker via Assembly Load
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
jaredcatkinson
/ Get-InjectedThread.ps1
Last active
October 14, 2025 02:45
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
andrewkroh
/ Microsoft-Windows-FileInfoMinifilter.txt
Last active
January 7, 2022 11:08
Microsoft-Windows-FileInfoMinifilter Messages from Windows 2012 Server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Id : 1 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, fi:FileNameCreate} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> |
enigma0x3
/ Backdoor-Minimalist.sct
Last active
March 9, 2025 06:49
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <
Neo23x0
/ config-server.xml
Last active
March 11, 2024 14:34
Sysmon Base Configuration - Windows Server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| This is a Microsoft Sysmon configuation to be used on Windows server systems | |
| v0.2.1 December 2016 | |
| Florian Roth | |
| The focus of this configuration is | |
| - hacking activity on servers / lateral movement (bad admin, attacker) | |
| It is not focussed on | |
| - malware detection (execution) | |
| - malware detection (network connections) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| This is a Microsoft Sysmon configuration to be used on Windows workstations | |
| v0.2.1 December 2016 | |
| Florian Roth (with the help and ideas of others) | |
| The focus of this configuration is | |
| - malware detection (execution) | |
| - malware detection (network connections) | |
| - exploit detection | |
| It is not focussed on |
guitarrapc
/ Get-EtwTraceProvider.ps1
Last active
August 15, 2025 15:00
ETW (Event Tracing for Windows) Providers and their GUIDs for Windows 10 x64
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| #Requires -Version 5.0 | |
| # requires Windows 10 | |
| Get-EtwTraceProvider | Select-Object SessionName, Guid | sort SessionName | |
| # as Markdown | |
| <# | |
| #Requires -RunAsAdministrator | |
| $result = Get-EtwTraceProvider | sort SessionName | |
| $result | %{"|Name|GUID|";"|----|----|";}{"|$($_.SessionName)|$($_.Guid)|"} | |
| #> |
gfoss
/ PowerShell Command Line Logging
Last active
January 10, 2025 19:49
Detect and alert on nefarious PowerShell command line activity
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell Audit Logging for LogRhythm SIEM - 2015 | |
| # For detecting dangerous PowerShell Commands/Functions | |
| Log Source Type: | |
| MS Event Log for Win7/Win8/2008/2012 - PowerShell | |
| Add this file to your PowerShell directory to enable verbose command line audit logging | |
| profile.ps1 | |
| $LogCommandHealthEvent = $true | |
| $LogCommandLifeCycleEvent = $true |