Skip to content

Instantly share code, notes, and snippets.

View akpotter's full-sized avatar

akpotter akpotter

62 followers · 184 following
View GitHub Profile
@theevilbit
theevilbit / divide_and_conquer.c
Created January 17, 2021 15:11
Divide and Conquer NextGen AV bypass
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include "Commctrl.h"
#include <string>
@rxwx
rxwx / pulseversion.py
Created August 13, 2019 09:04
Pulse Secure Version Scanner
import requests
import sys
import re
HEADERS = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0"}
if len(sys.argv) != 2:
print " Usage: python pulseversion.py <target ip/domain>"
sys.exit(1)
@JamesHagerman
JamesHagerman / stslte-notes.md
Last active March 17, 2024 20:37
My notes about running srsLTE

srsLTE notes

These are notes I've taken while rying to get srslte up and running. This is messy, sorry...

Working solution - LimeSDR + SoapySDR + srsLTE

Dependencies:

sudo apt install tree vim git g++ make cmake pkg-config libpython-dev python-numpy swig libi2c-dev libusb-1.0-0-dev libfftw3-dev libmbedtls-dev libboost-program-options-dev libconfig++-dev libsctp-dev gnuradio
@magisterquis
magisterquis / demoshell.go
Last active December 30, 2024 23:16
Beaconing shell, useful for demos. Catch it with netcat.
// demoshell is a nifty beaconing shell useful for demos
package main
/*
* demoshell.go
* Simple reverse shell used in demos
* By J. Stuart McMurray
* Created 20180331
* Last Modified 20180331
*/
anonymous
anonymous / memMITM.cpp
Created December 19, 2017 00:23
SSL MITM PoC - Hook sspicli!EncryptMessage
#define SECURITY_WIN32 //Define First Before Imports.
#include <windows.h>
#include <stdio.h>
#include <Sspi.h> //Be sure to reference secur32.lib in Linker | Input | Additional Dependencies
FARPROC fpEncryptMessage; //Pointer To The Original Location
BYTE bSavedByte; //Saved Byte Overwritten by 0xCC -
@deruke
deruke / winevent-logstash.conf
Created June 29, 2017 16:25
winevent-logstash
# capture windows events over JSON
# expects to be sent by the NXLOG package
# author: Joff Thyer, 2017
input {
tcp {
port => 3515
codec => json
}
}
anonymous
anonymous / dump.csv
Created April 8, 2017 21:24
Parsed out compromised hosts from #ShadowBrokers
ID Host IP Address Year Month Day Implant Version OS
PITCHIMPAIR ns1.youngdong.ac.kr 202.30.58.5 1969 12 31 INCISION 1.1.2.1 hppa2.0w-hp-hpux11.00
INTONATION tx.micro.net.pk 203.135.2.194 2000 8 17 JACKLADDER 2.0 sparc-sun-solaris2.7
INTONATION hakuba.janis.or.jp 210.232.42.3 2000 8 22 JACKLADDER 2.0 sparc-sun-solaris2.6
INTONATION mail.interq.or.jp 210.157.0.87 2000 8 24 JACKLADDER 2.0 sparc-sun-solaris2.6
INTONATION mx1.freemail.ne.jp 210.235.164.21 2000 8 28 JACKLADDER ? i386-pc-solaris2.7
INTONATION webnetra.entelnet.bo 166.114.10.28 2000 8 30 JACKLADDER 2.0 sparc-sun-solaris2.6
INTONATION opcwdns.opcw.nl 195.193.177.150 2000 9 6 JACKLADDER 2.0 sparc-sun-solaris2.6
INTONATION rayo.pereira.multi.net.co 206.49.164.2 2000 9 20 JACKLADDER 2.0 sparc-sun-solaris2.6
INTONATION most.cob.net.ba 195.222.48.5 2000 9 21 JACKLADDER 2.0 sparc-sun-solaris2.6
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active June 8, 2025 15:56
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@Neo23x0
Neo23x0 / annotations.xml
Last active November 12, 2024 01:34
Sources for APT Groups and Operations Search Engine
<?xml version="1.0" encoding="UTF-8"?>
<Annotations start="0" num="171" total="171">
<Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
<Label name="_cse_turlh5vi4xc"/>
<AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
</Annotation>
<Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
<Label name="_cse_turlh5vi4xc"/>
<AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
</Annotation>
@brandond
brandond / vpc-flowlog
Last active September 18, 2023 03:41
logstash-grok-pattern-vpc-flow-log
# VPC Flow Log fields
# version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
# http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-log-records
VPCFLOWLOG %{NUMBER:version:int} %{NUMBER:account-id} %{NOTSPACE:interface-id} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NOTSPACE:srcport:int} %{NOTSPACE:dstport:int} %{NOTSPACE:protocol:int} %{NOTSPACE:packets:int} %{NOTSPACE:bytes:int} %{NUMBER:start:int} %{NUMBER:end:int} %{NOTSPACE:action} %{NOTSPACE:log-status}