| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16) |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
Paul burning-pm
burning-pm
/ Phosphorus.ps1
Created
December 15, 2022 18:29
A list of Atomic tests based on the [DFIR Phosphorus report](https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/). This also includes a command to create a remote PowerShell session and execute atomics on multiple endpoints. Modify the list of ComputerNames on line 5.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Import Invoke-Atomic | |
| Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psm1" | |
| #Create a multi-enpoint PS Session and store | |
| $sesh = New-PSSession -ComputerName PC-01,PC-02,PC-03 -Credential (Get-Credential) | |
| #Create Scheduled Task | |
| $sch_arg = @{'time' = '10:59'} | |
| Invoke-AtomicTest T1078.001 -TestGuids 42f53695-ad4a-4546-abb6-7d837f644a71 -InputArgs $sch_arg |
burning-pm
/ allthesysmon.xml
Created
April 14, 2022 13:07
— forked from MHaggis/allthesysmon.xml
Hunt Naked
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.81"> | |
| <HashAlgorithms>md5,sha256</HashAlgorithms> | |
| <DnsLookup>False</DnsLookup> | |
| <CheckRevocation>False</CheckRevocation> | |
| <ArchiveDirectory>sysmon</ArchiveDirectory> | |
| <EventFiltering> | |
| <!--Event ID 1: Process creation--> | |
| <ProcessCreate onmatch="exclude"></ProcessCreate> | |
| <!--Event ID 2: A process changed a file creation time--> | |
| <FileCreateTime onmatch="exclude"></FileCreateTime> |
burning-pm
/ Invoke-ChainReaction.ps1
Created
April 14, 2022 13:07
— forked from pmichaudrc/Invoke-ChainReaction.ps1
PowerShell script that combines the original Chain Reactions from Atomic Red Team
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-ChainReaction { | |
| <# | |
| .SYNOPSIS | |
| A single script that combines the original Chain Reactions from the Atomic Red Team project | |
| .PARAMETER Reaction | |
| Specifies the ChainReaction to execute. |
burning-pm
/ Base64_CheatSheet.md
Created
April 14, 2022 13:07
— forked from pmichaudrc/Base64_CheatSheet.md
Learning Aid - Top Base64 Encodings Table
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Example Reference: | |
| // https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/ | |
| // Test | |
| new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools'; | |
| // Change that C:\\Tools to a location you specify, or dynamically find current directory. | |
| // ActCTX will search for the DLL in TMP | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>'; |
burning-pm
/ Update_Notes.md
Created
April 14, 2022 13:06
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll
This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.
xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html