Skip to content

Instantly share code, notes, and snippets.

View qwertysn35's full-sized avatar

qwertysn35 qwertysn35

3 followers · 15 following
View GitHub Profile
@embee-research
embee-research / suspicious_msdt_execution.yml
Last active September 13, 2022 04:33
title: Suspicious msdt.exe execution - Office Exploit
id: 97a80ed7-1f3f-4d05-9ef4-65760e634f6b
status: experimental
description: This rule will monitor suspicious arguments passed to the msdt.exe process. These arguments are an indicator of recent Office/Msdt exploitation.
references:
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://twitter.com/MalwareJake/status/1531019243411623939
author: 'Matthew Brennan'
tags:
- attack.execution
@kevthehermit
kevthehermit / detection.yml
Last active September 16, 2022 22:55
Office --> MSDT --> RCE
title: Sysmon Office MSDT
id: c95ed569-5da4-48b3-9698-5e429964556c
description: Detects MSDT Exploit Attempts
status: experimental
author: kevthehermit
date: 2022/05/30
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://gist.github.com/kevthehermit/5c8d52af388989cfa0ea38feace977f2
logsource:
@jaskiratr
jaskiratr / chmod-400.cmd
Created June 29, 2018 01:03
Set permission of file equivalent to chmod 400 on Windows.
# Source: https://stackoverflow.com/a/43317244
$path = ".\aws-ec2-key.pem"
# Reset to remove explict permissions
icacls.exe $path /reset
# Give current user explicit read-permission
icacls.exe $path /GRANT:R "$($env:USERNAME):(R)"
# Disable inheritance and remove inherited permissions
icacls.exe $path /inheritance:r