| # Python 3.11.0a0 64-bit | |
| import sys | |
| import opcode | |
| import types | |
| import ctypes | |
| # PyBytesObject.ob_sval | |
| PyBytesObject_ob_sval_offset = 0x20 | |
| # _frame.f_localsplus |
| using System; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using System.Linq; | |
| namespace NautilusProject | |
| { | |
| internal class CombinedExec | |
| { | |
| public static IntPtr AllocMemory(int length) |
I've transformed this gist into a git repository.
Whenever you research a certain vulnerability ask yourself these questions and please answer them for us
Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)
| #include <string.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| #include "beacon.h" | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
| DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
| @Library('ci-jenkins-common') _ | |
| // Jenkins build pipeline (declarative) | |
| // Project: Seatbelt | |
| // URL: https://github.com/GhostPack/Seatbelt | |
| // Author: @tifkin_/@harmj0y | |
| // Pipeline Author: harmj0y | |
| def gitURL = "https://github.com/GhostPack/Seatbelt" |
| ################################################## | |
| ## PyDefenderCheck - Python implementation of DefenderCheck | |
| ################################################## | |
| ## Author: daddycocoaman | |
| ## Based on: https://github.com/matterpreter/DefenderCheck | |
| ################################################## | |
| import argparse | |
| import enum |
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
| using System; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| namespace test | |
| { | |
| class Win32 | |
| { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); |
| # Requires: curl, jq | |
| # Download MITRE ATT&CK data from GitHub repository | |
| curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json | |
| # List all ATT&CK object types | |
| jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json | |
| # List all ATT&CK technique identifiers | |
| jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json |
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |