More cheatsheets

api/bitbucket.md

@@ -0,0 +1,23 @@
+### Source
+https://developer.atlassian.com/cloud/bitbucket/rest/intro
+
+### Upload file to repository
+```
+curl -X POST -H "Authorization: Bearer <apiKey>" -F "<uploadFile>=@./<localFile>" "https://api.bitbucket.org/2.0/repositories/<workspace>/<repository>/src?branch=master"
+```
+
+### Get meta data of file
+```
+curl -H "Authorization: Bearer <apiKey>" "https://api.bitbucket.org/2.0/repositories/<workspace>/<repository>/commits?path=<filePath>"
+```
+
+### Download file
+```
+curl -H "Authorization: Bearer <apiKey>" "https://api.bitbucket.org/2.0/repositories/<workspace>/<repository>/src/master/<filePath>"
+```
+
+### List files inside repository
+```
+curl -H "Authorization: Bearer <apiKey>" "https://api.bitbucket.org/2.0/repositories/<workspace>/<repository>/src/master/"
+```
+

api/github.md

@@ -0,0 +1,43 @@
+### Source
+https://docs.github.com/en/rest
+
+### Create private repository
+```
+curl -X POST -H "Authorization: token <apiKey>" -H "Accept: application/vnd.github+json" https://api.github.com/user/repos -d '{"name": "<repository>", "description": "<description>", "private": true}'
+```
+
+### Delete repository
+```
+curl -X DELETE -H "Authorization: token <apiKey>" -H "Accept: application/vnd.github+json" https://api.github.com/repos/<user>/<repository>
+```
+
+### List files inside repository
+```
+curl -H "Authorization: token <apiKey>" https://api.github.com/repos/<user>/<repository>/contents
+```
+
+### Upload file to repository
+```
+curl -X PUT -H "Authorization: token <apiKey>" https://api.github.com/repos/<user>/<repository>/contents/<filePath> -d "{\"message\":\"<message>\",\"content\":\"<fileContentBase64>\"}"
+```
+
+### Get commit meta data
+```
+curl -H "Authorization: token <apiKey>" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/<user>/<repository>/commits?path=<filePath>"
+```
+
+### Get file content and meta data
+```
+curl -s -H "Authorization: token <apiKey>" https://api.github.com/repos/<user>/<repository>/contents/<filePath>
+```
+
+### Download file from repository
+```
+curl -s -H 'Authorization: token <apiKey>' -H 'Accept: application/vnd.github.v3.raw' -o <outfile> "https://api.github.com/repos/<user>/<repository>/contents/<filePath>"
+```
+
+### Upload and overwrite file 
+```
+curl -X PUT -H "Authorization: token <apiKey>" https://api.github.com/repos/<user>/<repository>/contents/<filePath> -d "{\"message\":\"<message>\",\"content\":\"<fileContentBase64>\", \"sha\":\"<shaSum>\"}"
+```
+

api/malcore.md

@@ -0,0 +1,13 @@
+### Source
+https://docs.malcore.io
+
+### Run scan for domain
+```
+curl -X POST https://api.malcore.io/api/domain -H "apiKey: <apiKey>" -H "X-No-Poll: true" --data "domain=<domain>"
+```
+
+### Run scan for URL
+```
+curl -X POST https://api.malcore.io/api/urlcheck -H "apiKey: <apiKey>" --data "url=https://<url>"
+```
+

linux/dmesg.md

@@ -0,0 +1,5 @@
+### Print the kernel ring buffer
+```
+dmesg
+```
+

linux/jq.md

@@ -17,6 +17,11 @@ var="content"
 echo "<json>" | jq -r --arg vari "${var}" 'select(.key == $vari) | .key2'
 ```
 
+### Do not print null values
+```
+cat <file>.json | jq -r ".matches[] | .key[], .subkey | select(. != null)" 
+```
+
 ### Print distinguishedname of bloodhound users
 ```
 cat <userFile>.json | jq '.data[].Properties.distinguishedname

snippet/py/argParse.py

@@ -23,9 +23,15 @@
                             action = "store_true")
 
 argumentParser.add_argument("-t", "--timeout", dest="timeout",
-                            help = "maximal time that...",
+                            help = "maximal time that ...",
                             default = "600")
 
+argumentParser.add_argument("-g", "--graph", dest = "generateGraph",
+                            help = "generate graph ...",
+                            nargs="?",
+                            const="light",
+                            choices=["dark", "light"])
+
 args = argumentParser.parse_args()
 
 # print verbose

snippet/sh/getHomeDirectory.sh

@@ -0,0 +1,7 @@
+if [ -n "${SUDO_USER:-}" ]
+then
+    homeDir=$(getent passwd "$SUDO_USER" | cut -d: -f6)
+else
+    homeDir="$HOME"
+fi
+

url/git-tools

@@ -1144,6 +1144,9 @@ Prevents you from committing secrets and credentials into git repositories
 https://github.com/ayoubfathi/leaky-paths
 A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins.
 
+https://github.com/b1tg/rust-windows-shellcode
+Windows shellcode development in Rust
+
 https://github.com/badsectorlabs/sccm-http-looter
 Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) shares via HTTP(s)
 
@@ -1711,6 +1714,9 @@ PowerShell framework to assess Azure security
 https://github.com/hausec/ProxyLogon
 ProxyLogon PoC
 
+https://github.com/helviojunior/hookchain
+HookChain: A new perspective for Bypassing EDR Solutions
+
 https://github.com/hephaest0s/usbkill
 « usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
 
@@ -1810,6 +1816,9 @@ A collaborative, multi-platform, red teaming framework
 https://github.com/jacob-baines/concealed_position
 Bring your own print driver privilege escalation tool
 
+https://github.com/jacobdjwilson/awesome-annual-security-reports
+A curated list of annual cyber security reports
+
 https://github.com/jasperan/whatsapp-osint
 WhatsApp spy - logs online/offline events from ANYONE in the world
 
@@ -2479,6 +2488,9 @@ dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the bl
 https://github.com/punk-security/pwnspoof
 pwnSpoof (from Punk Security) generates realistic spoofed log files for common web servers with customisable attack scenarios.
 
+https://github.com/pushsecurity/saas-attacks
+Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.
+
 https://github.com/pwn1sher/WMEye
 WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement
 
@@ -2815,6 +2827,9 @@ This repo contains a massive amount (8000+) of WordPress related Nuclei template
 https://github.com/tr3ss/newclei
 A Go tool that gets the newest PRs from projectdiscovery/nuclei-templates.
 
+https://github.com/trickster0/EDR_Detector
+EDR Detector that can find what kind of endpoint solution is being used according to drivers in the system.
+
 https://github.com/trickster0/OffensiveRust
 Rust Weaponization for Red Team Engagements.
 
@@ -2842,6 +2857,9 @@ Passwords Recovery Tool
 https://github.com/two06/CerealKiller
 .NET deserialization hunter
 
+https://github.com/tyranid/oleviewdotnet
+A .net OLE/COM viewer and inspector to merge functionality of OleView and Test Container
+
 https://github.com/ultrafunkamsterdam/undetected-chromedriver
 Custom Selenium Chromedriver | Zero-Config | Passes ALL bot mitigation systems (like Distil / Imperva/ Datadadome / CloudFlare IUAM)
 

url/osint.md

@@ -1,6 +1,7 @@
 * https://3wifi.stascorp.com ; #wifi #wardriving #osint #geolocation
 * https://aadinternals.com/osint ; #osint #azure #entra #tenant #domain
 * https://app.binaryedge.io ; #osint #portscan #email #dataleak #breach #leak
+* https://app.malcore.io ; #malware-analyse #sandbox #yara #ransom-note #domain #whois #history #threat-intelligence
 * https://app.shadowmap.org ; #osint #sun #map #image #geolocation
 * https://app.tomba.io ; #osint #email #domain #geolocation #social-media #whois
 * https://app.validin.com ; #osint #nameserver #dns-history #rootdomain

url/tagged-urls.md

@@ -153,6 +153,7 @@
 * https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html ; #syscall #c++ #dll
 * https://cocomelonc.github.io/malware/2023/11/23/malware-cryptography-22.html ; #shellcode #xtea #encryption #av #anti-virus #bypass
 * https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html ; #windows #shorcut #powershell #persistence
+* https://cocomelonc.github.io/persistence/2024/08/14/malware-pers-26.html ; #windows #persistence #dll #socket #procmon
 * https://code.visualstudio.com/docs/remote/tunnels ; #pivoting #tunnel #vs-code
 * https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit ; #linux #audit-events #evasion #apollon #daphne #detection
 * https://codewhitesec.blogspot.com/2023/04/java-exploitation-restrictions-in.html ; #java #deserialization #jdk #ysoserial
@@ -166,6 +167,7 @@
 * https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong ; #privesc #privilege-escalation #juicy-potato #windows #clsid
 * https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system ; #windows #ntlm #local-potato
 * https://decoder.cloud/2023/09/05/from-ntauthcertificates-to-silver-certificate ; #windows #adcs #active-directory #certificate-service
+* https://decoder.cloud/2024/08/02/the-fake-potato ; #windows #powershell #dot-net #cross-session-activation #com-object #impersonation #cve-2024-38100
 * https://defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf ; #802-1x #bridge #linux
 * https://detect.fyi/threat-hunting-suspicious-named-pipes-a4206e8a4bc8?gi=f841fec0eb16 ; #threat-intelligence #named-pipe #ipc #windows #linux #event-id #threat-hunting
 * https://detect.fyi/threat-hunting-suspicious-windows-service-names-2f0dceea204c?gi=25697c91242b ; #dfir #forensic #event-id #log #windows #services #siem
@@ -255,7 +257,7 @@
 * https://ipslav.github.io/2023-12-12-let-me-manage-your-appdomain ; #windows #appdomain #edr #evasion #dirtyclr #dot-net
 * https://iq.thc.org/discover-proton-mail-registration-date-with-one-weird-trick ; #proto #email #osint #pgp #web-key-directory
 * https://isc.sans.edu/diary/A+new+spin+on+the+ZeroFont+phishing+technique/30248 ; #phishing #email #threat-intelligence
-* https://isc.sans.edu/diary/rss/30676 ; #phishing #threatintel #internet-archive #waybackmachine
+* https://isc.sans.edu/diary/rss/30676 ; #phishing #threat-intelligence #internet-archive #waybackmachine
 * https://itm4n.github.io/dll-proxying ; #windows #dll #privesc #privilege-escalation #proxying #wrapper
 * https://itm4n.github.io/lsass-runasppl ; #windows #lsass #lsa-protection #runasppl #credential-guard #driver
 * https://itm4n.github.io/printnightmare-exploitation ; #windows #printer #printnightmare #powershell #bring-your-own-vulnerable-printer-driver 
@@ -446,6 +448,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023 ; #windows #meterpreter #shellcode #xor #edr #evasion #bypass
 * https://redsiege.com/blog/2024/01/you-cant-see-me-protecting-your-phishing-infrastructure ; #phishing #infrastructure #apache
 * https://redteaming.co.uk/2020/07/12/dll-proxy-loading-your-favorite-c-implant ; #windows #dll #sideloading #proxying #donut #payload
+* https://redteamrecipe.com/macos-red-teaming ; #mac-os #ioplatformexpertdevice #tcc-database #application-bundle #electron-app #keychain #healthinspector-utility
 * https://repositorio-aberto.up.pt/bitstream/10216/142935/2/572983.pdf ; #gaming #cheat #detection #prevention
 * https://research.aurainfosec.io/pentest/hook-line-and-phishlet ; #phishing #exvilginx #adfs #azure #entra #mfa
 * https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-feature-to-perform-ntlm-forced-authentication-attacks ; #windows #active-directory #ntlm #office
@@ -516,6 +519,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware ; #threat-intelligence #malware-analyse #iso #lnk #dll
 * https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware ; #threat-intelligence #malware-analyse #icedid #vnc
 * https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours ; #threat-intelligence #malware #ransomware
+* https://thedfirreport.com/2024/08/26/blacksuit-ransomware ; #threat-intelligence #ransomware #malware #active-directory #bloodhound #sharphound #psexec #registry #powershell
 * https://thegreycorner.com/2023/08/30/aws-service-C2-forwarding.html ; #domain-fronting #aws #lambda #cloudfront #api
 * https://threatanatomy.io/en/posts/004-analyzing-a-dotnet-c2-agent ; #pestudio #windows #malware-analyse #visual-studio #dnspy #command-and-control #c2 #dot-net
 * https://tij.me/blog/harvesting-active-directory-credentials-via-http-request-smuggling ; #webapp #http-request-smuggling #proxy
@@ -599,7 +603,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://www.geekboy.ninja/blog ; #web #xss #clickjacking #pastejacking
 * https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques ; #windows #active-directory #ntlm-relay #shadow-credentials #s4u2self #resource-based-delegation
 * https://www.guidepointsecurity.com/blog/sccm-exploitation-evading-defenses-and-moving-laterally-with-sccm-application-deployment ; #sccm #system-centre-configuration-manager #windows #active-directory
-* https://www.hackerone.com/application-security/guide-subdomain-takeovers ; #web #subdomain-takeover #cname #osint ##methodology #dns
+* https://www.hackerone.com/application-security/guide-subdomain-takeovers ; #web #subdomain-takeover #cname #osint #methodology #dns
 * https://www.hackthebox.com/blog/llmnr-poisoning-attack-detection ; #llmnr ntlm-relay #detection
 * https://www.horizon3.ai/from-cve-2022-33679-to-unauthenticated-kerberoasting ; #kerberoast #active-directory #kerberoast #cve #spn #tgt
 * https://www.http418infosec.com/offsecops-using-jenkins-for-red-team-tooling ; #jenkins #pipeline #obfuscation #csharp
@@ -638,6 +642,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://www.ophionsecurity.com/post/phishing-the-anti-phishers-exploiting-anti-phishing-tools-for-internal-access ; #jira #anti-phishing #automated-email-gateway #saas #softare-as-a-service
 * https://www.osintme.com/index.php/2022/10/18/the-osint-me-ultimate-guide-to-telegram-osint-and-privacy ; #osint #telegram
 * https://www.outflank.nl/blog/2024/06/03/edr-internals-macos-linux ; #edr #telemetry #linux #macosx
+* https://www.outflank.nl/blog/2024/08/13/will-the-real-grimresource-please-stand-up-abusing-the-msc-file-format ; #phishing #initial-access #windows #mmc #microsoft-management-console
 * https://www.patreon.com/posts/91648640?utm_campaign=postshare_creator ; #dotnet #console-app #initial-access
 * https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin ; #windows #amsi #bypass #admin #dll #scanbuffer #scanstring
 * https://www.pavel.gr/blog/obfuscating-rubeus-using-codecepticon ; #obtaining #windows #rubeus #certificate
@@ -678,7 +683,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-blue-team-s-guide-to-initial-access-vectors.html ; #azure #entra #microsoft365 #unified-audit-log #ual #illicit-consent-grant #password-spraying #device-code-phishing #evilginx
 * https://www.synack.com/blog/exploits-explained-5-unusual-authentication-bypass-techniques ; #webapp #refresh-token
 * https://www.synacktiv.com/en/publications/a-dive-into-microsoft-defender-for-identity.html ; #windows #etw #mdi #azure #entra #edr #ldap #kerberos #evasion #bypass
-* https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html ; #cloud #azure #entra #methodology ##phs
+* https://www.synacktiv.com/en/publications/azure-ad-introduction-for-red-teamers.html ; #cloud #azure #entra #methodology
 * https://www.synacktiv.com/en/publications/github-actions-exploitation-untrusted-input ; #github-actions #expression-injection #continuous-integration #continuous-delivery #code-injection
 * https://www.synacktiv.com/en/publications/pcapan-a-pcap-analysis-helper.html ; #dfir #forensic #pcab
 * https://www.synacktiv.com/publications/exploring-android-heap-allocations-in-jemalloc-new ; #android #heap-overflow #allocation
@@ -709,6 +714,7 @@ https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tok
 * https://www.virusbulletin.com/virusbulletin/2019/04/alternative-communication-channel-over-ntp ; #network-time-protocol #ntp #data-exfiltration
 * https://www.vx-underground.org/#E:/root ; #malware-collection #wiki
 * https://www.websec.ca/kb/sql_injection ; #mysql #cheatsheets #wiki
+* https://www.wietzebeukema.nl/blog/why-bother-with-argv0 ; #argv #av #anti-virus #edr #evasion #bypass
 * https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration ; #cloud #azure #entra #bing #account-takeover
 * https://www.x86matthew.com/view_post?id=clipboard_inject ; #shellcode #clipboard #injection #c
 * https://www.x86matthew.com/view_post?id=embed_exe_lnk ; #phishing #exe #lnk #spoofing

windows/smbshare.md

@@ -1,10 +1,15 @@
-### List smb shares
+### List shares
 ```
 Get-SmbShare -name "<rhost>"
 ```
 
-### Create smb share
+### Create share (everyone/jeder)
 ```
 New-SmbShare -Name "<name>" -Path "<path>" -FullAccess "<domain>\<user>"
 ```
 
+### Remove share
+```
+Remove-SmbShare -Name "<name>"
+```
+