Skip to content

Instantly share code, notes, and snippets.

View hydeel's full-sized avatar

hydeel

14 followers · 23 following
View GitHub Profile
@jonny-jhnson
jonny-jhnson / KerberosCorrelation.ipynb
Last active May 28, 2024 22:40
Kerberos Detection/Investigation
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@str4d
str4d / DemangleRust.py
Last active March 19, 2025 02:27
Ghidra script for demangling Rust symbols
# Attempts to demangle all mangled symbols in the current program using the Rust
# mangling schemes, and replace the default symbol and function signature
# (if applicable) with the demangled symbol.
#
# License: MIT OR Apache-2.0
#@author Jack Grigg <thestr4d@gmail.com>
#@category Symbol
import string
@Alexufo
Alexufo / simple-https-python-server.py
Last active August 17, 2025 10:04
Simple Python https server example py 3.10+ ( multithread, wasm, gzip )
import http.server
import http.cookiejar
import io
import socket
from http import HTTPStatus
import ssl
import os
import zlib
server_address = ('0.0.0.0', 4443)
@mgraeber-rc
mgraeber-rc / GetAMSIEvent.ps1
Created October 8, 2021 20:53
A simple AMSI event trace parser
# Author: Matt Graeber
# Company: Red Canary
# To start a trace, run the following from an elevated command prompt: logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
# To stop the trace, run the following: logman stop AMSITrace -ets
# Example usage: Get-AMSIEvent -Path .\AMSITrace.etl
function Get-AMSIEvent {
param (
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@olafhartong
olafhartong / sunburst_countermeasures.md
Created December 14, 2020 08:47

FireEye Sunburst KQL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below

Blog post

All FireEye detections

DeviceEvents
@nikallass
nikallass / check-smb-v3.11.sh
Created March 11, 2020 04:57
CVE-2020-0796. Scan HOST/CIDR with nmap script smb-protocols.nse and grep SMB version 3.11.
#!/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\tcheck-smb-v3.11.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active December 1, 2025 19:51
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" &lt;. Often used by Emotet (UTF-16)
@Bill-Stewart
Bill-Stewart / Get-BitLockerRecovery.ps1
Last active July 1, 2024 14:53
Gets BitLocker recovery information for one or more Active Directory computer objects
# Get-BitLockerRecovery.ps1
# Written by Bill Stewart (bstewart AT iname.com)
# Version history:
#
# 1.2 (2024-07-01)
# * Updated code formatting.
# * Changed PasswordID to PasswID.
#
# 1.1 (2019-09-12)
@adrice727
adrice727 / executeDataflowTemplate.ts
Last active January 15, 2021 10:24
Executing a Google Cloud Dataflow Template from Node
import axios from "axios";
import jwt from "jsonwebtoken";
import mem from "mem";
import fs from "fs";
const loadServiceAccount = mem(function(){
// This is a string containing service account credentials
const serviceAccountJson = process.env.GOOGLE_APPLICATION_CREDENTIALS;
if (!serviceAccountJson) {
throw new Error("Missing GCP Credentials");