Skip to content

Instantly share code, notes, and snippets.

View watson0x90's full-sized avatar

Watson watson0x90

17 followers · 108 following
View GitHub Profile
@watson0x90
watson0x90 / polyfill_io_page_source_check.bcheck
Last active June 27, 2024 12:59
Page source includes reference to polyfill[.]io
metadata:
language: v1-beta
name: "Page source includes reference to polyfill[.]io"
description: "Locate polyfill[.]io issues."
author: "@watson0x90"
tags: "cdn", "javascript", "polyfill", "exposure"
given response then
if {latest.response} matches "(https?:\/\/)?([a-z0-9-]+\.)*polyfill\.io(\/.*)?" then
report issue:
@watson0x90
watson0x90 / BHSanitize.py
Last active June 21, 2024 16:48
Designed to sanitize BloodHound JSON data by replacing Unicode escape sequences with `uni-` and base64 encoding invalid characters.
# Script Name: BHSanitize.py
# Author: Ryan Watson
# Gist Github: https://gist.github.com/Watson0x90
# Created on: 2024-06-21
# Last Modified: 024-06-21
# Description: Designed to sanitize BloodHound JSON data by replacing Unicode escape sequences `\u` with `uni-` and base64 encoding invalid characters.
# Version: 1.0.0
# License: MIT License
# Usage: python BHSanitize.py
@watson0x90
watson0x90 / customqueries.json
Created January 24, 2024 23:30 — forked from seajaysec/customqueries.json
bloodhound custom queries
{
"queries": [{
"name": "List all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned computers",
@watson0x90
watson0x90 / WSL2_VPN_Workaround_Instructions.md
Created March 16, 2021 16:48 — forked from machuu/WSL2_VPN_Workaround_Instructions.md
Workaround for WSL2 network broken on VPN

Overview

Internet connection and DNS routing are broken from WSL2 instances, when some VPNs are active. The workaround breaks down into two problems:

  1. Network connection to internet
  2. DNS in WSL2

This problem is tracked in multiple microsoft/WSL issues including, but not limited to:

@watson0x90
watson0x90 / Get-InjectedThread.ps1
Last active April 29, 2020 23:07 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@watson0x90
watson0x90 / CompileInMemory.cs
Created July 23, 2019 20:55
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
using System;
using System.Collections.Generic;
using System.Text;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.IO;
using System.Reflection;
namespace InMemoryCompiler
{
class Program
@watson0x90
watson0x90 / Inject.cs
Created July 6, 2018 14:05
DotNetToJScript Build Walkthrough
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public class TestClass
{
public TestClass()
{}
@watson0x90
watson0x90 / wmicCommands.txt
Last active February 18, 2026 05:00
WMIC commands from https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/
#WMIC Commands from https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/
wmic baseboard get Manufacturer, Model, Name, PartNumber, slotlayout, serialnumber, poweredon
wmic bios get name, version, serialnumber
wmic bootconfig get BootDirectory, Caption, TempDirectory, Lastdrive
wmic cdrom get Name, Drive, Volumename
wmic computersystem get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list
wmic cpu get Name, Caption, MaxClockSpeed, DeviceID, status
wmic datafile where name=’c:\boot.ini’ get Archive, FileSize, FileType, InstallDate, Readable, Writeable, System, Version
wmic dcomapp get Name, AppID /format:list
wmic desktop get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:list
@watson0x90
watson0x90 / Invoke-QueryDowngrade.ps1
Last active August 23, 2017 16:25
$hostlist = "",""
$userSearch = ""
$ErrorActionPreference = "SilentlyContinue"
function Invoke-QueryDowngrade{
$downgradeXML = @"
@watson0x90
watson0x90 / ClickyClicky.ps1
Created July 21, 2017 01:28
Make the mouse go click
Add-Type -AssemblyName System.Windows.Forms
$screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
[Windows.Forms.Cursor]::Position = "$($screen.Width),$($screen.Height)"
function Click-MouseButton
{
$signature=@'
[DllImport("user32.dll",CharSet=CharSet.Auto, CallingConvention=CallingConvention.StdCall)]
public static extern void mouse_event(long dwFlags, long dx, long dy, long cButtons, long dwExtraInfo);
'@