mattifestation

# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
    CloseKey              = 0x00000001
    QuerySecurityKey      = 0x00000002
    SetSecurityKey        = 0x00000004
    EnumerateValueKey     = 0x00000010
    QueryMultipleValueKey = 0x00000020
    SetInformationKey     = 0x00000040
    FlushKey              = 0x00000080

filmor

Neo23x0

Base64 Patterns - Learning Aid

Base64 Code	Mnemonic Aid	Decoded*	Description
JAB	🗣 Jabber	$.	Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq	📺 Television	MZ	MZ header
SUVY	🚙 SUV	IEX	PowerShell Invoke Expression
SQBFAF	🐣 Squab favorite	I.E.	PowerShell Invoke Expression (UTF-16)
SQBuAH	🐣 Squab uahhh	I.n.	PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA	💪 "Pah!"	<.	Often used by Emotet (UTF-16)

thomaspatzke

# Requires: curl, jq

# Download MITRE ATT&CK data from GitHub repository
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

# List all ATT&CK object types
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json

# List all ATT&CK technique identifiers
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json

xpn

using System;
using System.Reflection;
using System.Runtime.InteropServices;

namespace test
{
    class Win32
    {
        [DllImport("kernel32")]
        public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

xpn

// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

daddycocoaman

##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################


import argparse
import enum

HarmJ0y

@Library('ci-jenkins-common') _

// Jenkins build pipeline (declarative)

// Project:         Seatbelt
// URL:             https://github.com/GhostPack/Seatbelt
// Author:          @tifkin_/@harmj0y
// Pipeline Author: harmj0y

def gitURL = "https://github.com/GhostPack/Seatbelt"

G0ldenGunSec

#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"


DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);

Neo23x0

I've transformed this gist into a git repository.

---

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us

Logging

Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)