wxs@wxs-mbp yara % cat rules/test.yara
rule a {
strings:
// This program cannot VGhpcyBwcm9ncmFtIGNhbm5vdA==
// AThis program cannot QVRoaXMgcHJvZ3JhbSBjYW5ub3Q=
// AAThis program cannot QUFUaGlzIHByb2dyYW0gY2Fubm90
$a = "This program cannot" base64
// Custom alphabets are supported, but I have it commented out for now. ;)
Glenn hiddenillusion
williballenthin
/ TxR.bt
Created
November 22, 2019 20:49
010 Editor template for parsing Windows Registry TxR (.regtrans-ms) files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //------------------------------------------------ | |
| //--- 010 Editor v8.0.1 Binary Template | |
| // | |
| // File: Transactional Registry Transaction Logs (.TxR) | |
| // Authors: Willi Ballenthin <[email protected]> | |
| // Version: 0.1 | |
| // Reference: https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html | |
| //------------------------------------------------ | |
| LittleEndian(); |
williballenthin
/ macOS_keychain.py
Last active
February 7, 2025 10:37
bling.py - extract keys from macOS keychains.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| bling.py - extract keys from macOS keychains. | |
| installation: | |
| pip install pytz hexdump vivisect-vstruct-wb tabulate argparse pycryptodome | |
| usage: | |
| python bling.py /path/to/keychain-db <password> ./path/to/output/directory |
clong
/ Native-Windows-Useragentss.txt
Created
September 23, 2017 06:41
Native Windows UserAgents for Threat Hunting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Invoke-WebRequest: | |
| Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066 | |
| System.Net.WebClient.DownloadFile(): | |
| None | |
| Start-BitsTransfer: | |
| Microsoft BITS/7.8 | |
| certutil.exe: |
williballenthin
/ stackstrings.yara
Last active
March 12, 2025 07:04
match x86 that appears to be stack string creation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule stack_strings | |
| { | |
| meta: | |
| author = "William Ballenthin" | |
| email = "[email protected]" | |
| license = "Apache 2.0" | |
| copyright = "FireEye, Inc" | |
| description = "Match x86 that appears to be stack string creation." | |
| strings: |
deruke
/ Sysmon_only_script
Created
September 6, 2017 19:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if not exist "C:\windows\sysmon_config.xml" ( | |
| copy /z /y "\\lab.local\SYSVOL\lab.local\scripts\sysmon\sysmon_config.xml" "C:\windows\" | |
| ) | |
| sc query "Sysmon" | Find "RUNNING" | |
| If "%ERRORLEVEL%" EQU "1" ( | |
| goto startsysmon | |
| ) | |
| :startsysmon | |
| net start Sysmon |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-ScheduledTask -TaskName 'XblGameSaveTaskLogon' | % { $_.Actions += New-ScheduledTaskAction -Execute 'calc.exe'; Set-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName -Action $_.Actions } |
leoloobeek
/ EventVwrBypass.cs
Last active
April 10, 2025 11:47
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Linq; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.Win32; | |
| /* | |
| InstallUtil.exe C# version of Event Viewer UAC bypass |
jaredcatkinson
/ Get-InjectedThread.ps1
Last active
April 24, 2025 15:06
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
clong
/ scenario.md
Last active
March 11, 2019 21:07
"bash_reverse_shell": {
"query": "SELECT * FROM processes WHERE cmdline LIKE '/bin/bash -i >& /dev/tcp/%';",
"interval": 30,
"description": "Looks for processes that resemble a bash reverse shell"
}NewerOlder