Skip to content

Instantly share code, notes, and snippets.

View msuiche's full-sized avatar

Matt Suiche msuiche

View GitHub Profile
@msuiche
msuiche / TrueBot_Domains_IOC.yara
Created July 8, 2023 19:44
TrueBot_Domains_IOC
rule TrueBot_Domains_IOC {
meta:
date = "2023-07-08"
description = "Hunts for memory IOCs TRUEBOT."
author = "Matt Suiche - Magnet Forensics"
reference1 = "https://github.com/The-DFIR-Report/Yara-Rules/blob/main/21619/21619.yar"
reference2 = "https://www.ic3.gov/Media/News/2023/230707.pdf"
verdict = "dangerous"
mitre = "T1082"
platform = "windows"
rule MOVEit_Transfer_exploit_webshell_memory {
meta:
date = "2023-06-15"
description = "Hunts for memory IOCs MOVEit Transfer exploitation."
author = "Matt Suiche - Magnet Forensics"
reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"
reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"
reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"
reference4 = "https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara"
verdict = "dangerous"
/*
Hunting Russian Intelligence “Snake” Malware
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by
Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive
targets.
*/
rule Windows_Snake_Malware {
meta:
@msuiche
msuiche / GetPowerShellInfo.ps1
Last active May 23, 2020 19:20
Memory Forensics and PowerShell
##
## A good excuse to learn LINQ in WinDbg.
## Author: Matt Suiche (@msuiche) - 18-Jan-2019
##
## References:
## Extracting Forensic Script Content from PowerShell Process Dumps (Lee Holmes) - 17 Jan 2019
## http://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/
## Extracting Activity History from PowerShell Process Dumps (Lee Holmes) - 4 Jan 2019
## https://www.leeholmes.com/blog/2019/01/04/extracting-activity-history-from-powershell-process-dumps/
##
@msuiche
msuiche / WipeMeOrNot.c
Created June 29, 2017 06:14
Petya.2017
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
//
// The mysterious command (0x2E214B44) results in the first 10 sectors being wiped out.Or if the original replaceBootSectors() function fails.
//
// 0x2E214B44 ??? => Mysterious process. Name very close to AVP.exe
// Source of below hashes: https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/
@msuiche
msuiche / t.wnry.bt
Created May 15, 2017 11:58
010 Template for t.wnry
//------------------------------------------------
//--- 010 Editor v7.0 Binary Template
//
// File:
// Authors:
// Version:
// Purpose:
// Category:
// File Mask:
// ID Bytes:
/*
# 010 Template for t.wnry
typedef struct {
char Signature[8]; // WANACRY!
uint32 Part1Size; // Always 0x100
char DataPart1[Part1Size];
uint32 Part2Signature;
uint64 Part2Size;
char DataPart2[Part2Size];
@msuiche
msuiche / WannaCry-SMB.c
Created May 13, 2017 08:39
WannaCry - DOUBLEPULSAR references
// https://twitter.com/msuiche
int threadMain()
{
unsigned int i; // edi@1
_DWORD *v1; // eax@2
void *v2; // esi@7
char v4; // [sp+13h] [bp-2Dh]@0
char v5; // [sp+14h] [bp-2Ch]@1
void *Memory; // [sp+18h] [bp-28h]@1
@msuiche
msuiche / EternalBlue-SmbHandler.asm
Created April 23, 2017 09:45
DOUBLEPULSAR - ETERNALBLUE - SmbHandler()
Thanks to https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html#pulsar_step5 for the description
kd> dps srv!SrvTransaction2DispatchTable
91463530 9148b56f srv!SrvSmbOpen2
91463534 91485fe4 srv!SrvSmbFindFirst2
91463538 9148606d srv!SrvSmbFindNext2
9146353c 91488a89 srv!SrvSmbQueryFsInformation
91463540 914892f3 srv!SrvSmbSetFsInformation
91463544 9147ff65 srv!SrvSmbQueryPathInformation
91463548 91480c74 srv!SrvSmbSetPathInformation
@msuiche
msuiche / Installer.dll
Created March 10, 2017 07:14
Installer.dll (Vault7)
// Decompiled with JetBrains decompiler
// Type: Installer.Install
// Assembly: Installer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 1DF6A781-016A-4A47-9C62-874A888EB357
// Assembly location:
using \u0004;
using \u0006;
using Microsoft.Win32;
using System;