Remember to unzip the .docx first, or use scan.sh.
Compile the yara rule for scan.sh to work
yarac canarytoken.yar canarytoken
Glenn Wilkinson glennzw
masthoon
/ SystemCMD.cpp
Last active
October 3, 2024 18:16
Launch SYSTEM CMD in user current session (from a service)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #include <windows.h> | |
| #include <Winbase.h> | |
| #include <Wtsapi32.h> | |
| #include <Userenv.h> | |
| #include <malloc.h> | |
| #pragma comment(lib, "Wtsapi32.lib") | |
| #pragma comment(lib, "Userenv.lib") |
shospodarets
/ Chrome headless Puppeteer- capture DOM element screenshot using
Last active
July 29, 2024 05:58
Chrome headless Puppeteer- capture DOM element screenshot using
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const puppeteer = require('puppeteer'); | |
| (async () => { | |
| const browser = await puppeteer.launch(); | |
| const page = await browser.newPage(); | |
| // Adjustments particular to this page to ensure we hit desktop breakpoint. | |
| page.setViewport({width: 1000, height: 600, deviceScaleFactor: 1}); | |
| await page.goto('https://www.chromestatus.com/samples', {waitUntil: 'networkidle'}); |
rain-1
/ Wannacrypt0r-FACTSHEET.md
Last active
May 14, 2025 19:15
— forked from Epivalent/Wannacrypt0r-FACTSHEET.md
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
- Kill switch: If the website
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comis up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
update: A minor variant of the viru
YamiOdymel
/ emoji.go
Last active
May 4, 2021 00:44
Print the emoji with Golang. https://play.golang.org/p/yPgKw3Z9HW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // (c) 2017 Yami Odymel | |
| // This code is licensed under MIT license. | |
| package main | |
| import ( | |
| "fmt" | |
| "html" | |
| "strconv" | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-MS16-032 { | |
| <# | |
| .SYNOPSIS | |
| PowerShell implementation of MS16-032. The exploit targets all vulnerable | |
| operating systems that support PowerShell v2+. Credit for the discovery of | |
| the bug and the logic to exploit it go to James Forshaw (@tiraniddo). | |
| Targets: | |
AntoineAugusti
/ limitConcurrentGoroutines.go
Last active
July 30, 2024 17:58
Limit the maximum number of goroutines running at the same time
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "flag" | |
| "fmt" | |
| "time" | |
| ) | |
| // Fake a long and difficult work. | |
| func DoWork() { |
PaulSec
/ vnc_snapshot.py
Last active
October 5, 2019 10:25
VNC Snapshot using Torify and vncsnapshot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/python | |
| import requests | |
| import threading | |
| import os | |
| API_KEY = "XXXXXXXXXXXXXXXXX" | |
| QUERY = "port:5900 authentication" | |
| class VNCSnapshot(threading.Thread): |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer | |
| import json | |
| class WebHook(BaseHTTPRequestHandler): | |
| def do_POST(self): | |
| self.send_response(200) | |
| self.end_headers() | |
| print json.dumps(json.loads(self.rfile.read(int(self.headers.getheader('content-length')))), indent=4) | |
| server = HTTPServer(('0.0.0.0', 8000), WebHook) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # coding: UTF-8 | |
| import socket | |
| import struct | |
| DEBUG = True | |
| DEBUG2 = False | |
| PTP_OC_GetDeviceInfo = 0x1001 |
NewerOlder