Download Winlogbeat and place in same directory as script or in $PATH
PS>
# pip install JPype1 | |
import jpype | |
import jpype.imports | |
from jpype.types import * | |
import os | |
os.chdir("<cobaltstrike directory>") # required for auth file lookup | |
jpype.startJVM() | |
jpype.addClassPath("<cobaltstrike directory>/cobaltstrike.jar") |
Payload used by MuddyWater as detailed here: https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html | |
Replace "http://127.0.0.1:8000/cmd" with link to page containing command | |
Command page should be something like: "c:\windows\system32\cmd.exe /c calc.exe" |
//modified from: https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection | |
#include <iostream> | |
#include <windows.h> | |
#include "resource.h" | |
typedef struct BASE_RELOCATION_BLOCK { | |
DWORD PageAddress; | |
DWORD BlockSize; | |
} BASE_RELOCATION_BLOCK, * PBASE_RELOCATION_BLOCK; |
using System; | |
using System.IO; | |
using System.Linq; | |
using System.Security.Cryptography; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
using System.Threading.Tasks; | |
using Microsoft.Win32; | |
public class Crypto |
# adapted from https://stackoverflow.com/a/6291111 | |
# | |
# TargetObject = account with SPN | |
# $TargeObject = "LDAP://CN=foo,CN=Users,DC=contoso,DC=local" | |
# Identity = identity to be put in ACE | |
# $Identity = [security.principal.ntaccount]"contoso\user" | |
# $Identity = [security.principal.securityidentified]"S-1-1-0" | |
# Deny = deny or allow access | |
Function Set-SpnPermission { | |
param( |
from pyspark.sql import Row | |
# mydict is something like {"abc":"def", "ghi":"jkl"} | |
computer = Row(*mydict.keys()) | |
rows = [computer(*mydict.values())] | |
display(spark.createDataFrame(row)) |
"""A module for translating and manipulating SDDL strings. | |
SDDL strings are used by Microsoft to describe ACLs as described in | |
http://msdn.microsoft.com/en-us/library/aa379567.aspx. | |
Example: D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU) | |
""" | |
__author__ = 'tojo2000@tojo2000.com (Tim Johnson)' |
. |
# based on NetCease: https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b | |
# can be deployed on a per-host basis using this script - e.g. via something like SCCM | |
# or, once deployed to one host, can be deployed via GPO Registry preferences by copying the set registry value | |
# (lanmanserver still needs to be restarted when done this way) | |
# see: https://adsecurity.org/?p=3299 -> Disable Windows Legacy & Typically Unused Features -> Disable Net Session Enumeration (NetCease) | |
# constants | |
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity" | |
$name = "SrvsvcSessionInfo" |