Skip to content

Instantly share code, notes, and snippets.

View derekxmartin's full-sized avatar

Derek Martin derekxmartin

129 followers · 831 following
View GitHub Profile
@derekxmartin
derekxmartin / gist:d61029b534f0c9437394bdc563707529
Created March 18, 2026 12:53
https://x.com/UnderdogWNBA/status/2034245315797082303
@derekxmartin
derekxmartin / Start screen
Created March 16, 2026 13:15
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "legalnoticecaption" -Value "Your Title Here"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "legalnoticetext" -Value "Your message body here. Unauthorized access is prohibited."
@derekxmartin
derekxmartin / encoding.py
Created March 9, 2026 15:42
xor/rc4
"""
encoders.py
XOR (single-byte, rolling) and RC4 encoding implementations.
These are intentionally simple — mirrors real-world malware tradecraft.
"""
def xor_single_byte(data: bytes, key: int = 0x41) -> bytes:
"""Single-byte XOR. Trivial but still common in commodity malware."""
return bytes(b ^ key for b in data)
@derekxmartin
derekxmartin / gist:380b8b6bd52504982ff8c822b9e3cb8b
Created February 23, 2026 13:53
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" `
/target:library `
/reference:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Framework.dll" `
/out:C:\Temp\TestLogger.dll `
C:\Temp\TestLogger.cs
@derekxmartin
derekxmartin / gist:11e4e1b186b4193a8516f3a3c23fc544
Created February 18, 2026 18:09
https://derek-site-2026-6g03r9taz-derek-martins-projects.vercel.app/about/
@derekxmartin
derekxmartin / gist:20c497bc0d46b827b4d6e3dc7954a011
Created February 17, 2026 19:37
MSB-04: Atypical File — .csproj with Inline Task from Legitimate-Looking
Path
Objective:
Determine whether the detection signal can identify a malicious .csproj containing an inline C# task even
when the file resides in a directory that mimics a normal development workspace (complete with a .sln file).
This tests content-based detection rather than path-based heuristics. MSB-01 through MSB-03 already
validate detection from suspicious locations (C:\Temp). This test flips the scenario — the path looks
legitimate, but the content is malicious.
Steps:
1. Create a realistic project directory: mkdir C:\Source\MyProject\src
@derekxmartin
derekxmartin / TestLogger.cs
Last active February 17, 2026 18:24
using Microsoft.Build.Framework;
using System;
using System.IO;
// Benign test logger — writes to a temp file to prove execution
// Implements ILogger which MSBuild loads via /logger: switch
public class TestLogger : ILogger
{
public LoggerVerbosity Verbosity { get; set; }
public string Parameters { get; set; }
@derekxmartin
derekxmartin / childproc_proc_test.csproj
Created February 17, 2026 16:56
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="TestTarget">
<TestTask />
</Target>
<UsingTask
TaskName="TestTask"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Fragment" Language="cs">
@derekxmartin
derekxmartin / gist:98837d58e7e362b2c9a0a5a0ca29f3e7
Created February 17, 2026 15:29
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="TestTarget">
<TestTask />
</Target>
<UsingTask
TaskName="TestTask"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Using Namespace="System.IO" />
@derekxmartin
derekxmartin / gist:e4cad69955ea5cb68c317cf2b0a4d6e4
Created February 17, 2026 14:06
msbuild Test
# MSBuild.exe Detection Signal — Purple Team Testing Plan
**Classification:** Internal — PCSIRT / Red Team Use Only
**Author:** Red Team Operations
**Date:** February 2026
**Version:** 1.0
-----
## 1. Objective