I hereby claim:
- I am nasbench on github.
- I am nasbench (https://keybase.io/nasbench) on keybase.
- I have a public key ASCERZHjJ7mUyROvWgr41hlUXh_byMkTO918VVCAtXhxbgo
To claim this, I am signing this object:
Nasreddine Bencherchali nasbench
📚
nasbench
/ pwsh_dirty_words.yml
Last active
March 19, 2025 19:57
List of suspicious strings used by PowerShell `SuspiciousContentChecker` function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: System.Management.Automation.dll | |
| # This list is used to determin if a ScriptBlock contains potential suspicious content | |
| # If a match is found an automatic 4104 with a "warning" level is generated. | |
| # https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs | |
| - "Add-Type" | |
| - "AddSecurityPackage" | |
| - "AdjustTokenPrivileges" | |
| - "AllocHGlobal" | |
| - "BindingFlags" | |
| - "Bypass" |
nasbench
/ debug-script.txt
Created
November 8, 2022 19:44
Debug script example that can be used to trigger cdb.exe LOLBIN as described in https://twitter.com/nas_bench/status/1534957360032120833
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| as AdpDumpDir C:\logs\20220609_183403_Crash_Mode | |
| .logopen /t "${AdpDumpDir}\ADPlus_log.log" | |
| as AdpOutputDir C:\logs | |
| as AdpDumpDirEsc C:\\logs\\20220609_183403_Crash_Mode | |
| as AdpTimeStamp 20220609_183403 | |
| * | |
| *----- OS and Time Information ---- | |
| vertarget | |
| * | |
| * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ADPlus Version='2'> | |
| <Settings> | |
| <Option> FullOnFirst </Option> | |
| <Runmode> Hang </Runmode> | |
| <!-- | |
| If you want to run the binary and not dump anything. | |
| Then this can be any process as long as it's running | |
| --> | |
| <ProcessName> notepad.exe </ProcessName> | |
| <OutputDir>C:\temp\</OutputDir> |
nasbench
/ fiddlerPOC.cs
Created
June 16, 2022 18:13
A simple fiddler classic extension persistence POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Diagnostics; | |
| using Fiddler; | |
| [assembly: Fiddler.RequiredVersion("2.3.5.0")] | |
| namespace POCFiddlerDotNet | |
| { | |
| public class PersistencePOC : IFiddlerExtension | |
| { | |
| public PersistencePOC() { } |
nasbench
/ keybase.md
Created
February 7, 2022 12:42
NewerOlder