The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:
- APT33
- APT34
- APT39
- Charming Kitten
dmaasland
/ Invoke-Procdump.ps1
Created
November 27, 2019 12:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Source = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace ProcDump { | |
| public static class DbgHelp { | |
| [DllImport("Dbghelp.dll")] | |
| public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); | |
| } | |
| } |
MSAdministrator
/ iranian_apit_groups_possible_commands.md
Last active
December 6, 2024 08:14
Iranian APT Groups & Possible Commands Used By These Groups
rvrsh3ll
/ gadget2jscriptQueueAPCInject.cs
Last active
July 21, 2023 13:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using System.Net; | |
| using System.IO.Compression; | |
| public class Payload | |
| { |
Cyb3rWard0g
/ COMPlus_ETWEnabled_detection_notes.md
Last active
November 23, 2023 20:05
- The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
- CLRConfig will look for configurations in the following places in the following order:
- Look at environment variables (prepending COMPlus_ to the name)
- Look at the framework registry keys (
HKCU\Software\Microsoft\.NETFramework - Look at the framework registry keys
HKLM\Software\Microsoft\.NETFramework)
- These can be set in the following ways:
- Setting the environment variable COMPlus_:
- Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef PATCHLESS_AMSI_H | |
| #define PATCHLESS_AMSI_H | |
| #include <windows.h> | |
| static const int AMSI_RESULT_CLEAN = 0; | |
| PVOID g_amsiScanBufferPtr = nullptr; | |
| unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
OlderNewer