jgamblin

#!/usr/bin/env python
import os
import sys
import json
import urllib
import urllib2
import hashlib
import argparse
from slacker import Slacker

markekraus

#Requires -Modules AzureRM.Profile, AzureAD
$DeviceObjectId = '' # Set an objectID for a device
$SubScriptionID = '' # change with your subscription ID

Add-AzureRmAccount
$Subscription = Select-AzureRmSubscription -Subscription $SubScriptionID
$currentAzureContext = Get-AzureRmContext -Name $Subscription.Name
$TenantId = $currentAzureContext.Tenant.Id
$tokenCache = $currentAzureContext.TokenCache
$Cache = $tokenCache.ReadItems().Where({$_.ExpiresOn -gt (Get-Date) -and $_.TenantId -eq $TenantId })[0]

mattifestation

# Script author: Matt Graeber (@mattifestation)
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
# Do your malicious things here that would be logged by AMSI
# logman stop AMSITrace -ets

$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture
$OSArch = $OSArchProperty.OSArchitecture

$OSPointerSize = 32
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 }

jgamblin

#!/bin/bash
for url in $(cat domains.txt) 
do 
  if curl --output /dev/null --silent --head --fail "$url"; then
    printf "$url \\n"
  else
    :
  fi 
done

Neo23x0

Base64 Patterns - Learning Aid

Base64 Code	Mnemonic Aid	Decoded*	Description
JAB	🗣 Jabber	$.	Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq	📺 Television	MZ	MZ header
SUVY	🚙 SUV	IEX	PowerShell Invoke Expression
SQBFAF	🐣 Squab favorite	I.E.	PowerShell Invoke Expression (UTF-16)
SQBuAH	🐣 Squab uahhh	I.n.	PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA	💪 "Pah!"	<.	Often used by Emotet (UTF-16)

silence-is-best

rule bitrat_2_mem
{
    meta:
        description = "BitRAT"
        author = "James_inthe_box"
        reference = "7b03ad29559118bb36b1400b4865f82a90fd389031ccebd228836cfd09d63e9b"
        date = "2021/06"
        maltype = "RAT"

    strings: