CaledoniaProject

## inject.c
//
// Ref = src
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
//
// Credits:
//  Vyacheslav Rusakov @swwwolf
//  Tom Bonner @thomas_bonner
//

#include <Windows.h>

## client.ps1
function Get-PublicKey
{
    [OutputType([byte[]])]
    PARAM (
        [Uri]$Uri
    )

    if (-Not ($uri.Scheme -eq "https"))
    {
        Write-Error "You can only get keys for https addresses"

## GoogleHackMasterList.txt
admin account info" filetype:log
!Host=*.* intext:enc_UserPassword=* ext:pcf
"# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd
"AutoCreate=TRUE password=*"
"http://*:*@www&#8221; domainname
"index of/" "ws_ftp.ini" "parent directory"
"liveice configuration file" ext:cfg -site:sourceforge.net
"parent directory" +proftpdpasswd
Duclassified" -site:duware.com "DUware All Rights reserved"
duclassmate" -site:duware.com

## winlogon.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

## README.md

      
              4 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                CaledoniaProject
                / README.md
            
            
              Created
              March 1, 2018 14:34
                — forked from jthuraisamy/README.md
            
          
    PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex

  
## WMI_attack_detection.ps1
#region Scriptblocks that will execute upon alert trigger
$LateralMovementDetected = {
    $Event = $EventArgs.NewEvent

    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)

    $MethodName = $Event.MethodName
    $Namespace = $Event.Namespace
    $Object = $Event.ObjectPath
    $User = $Event.User

## PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
    ResourceID = "[Script]ScriptExample";
    GetScript = "\"$(Get-Date): I am being GET\"     | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
    TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";

## InstallUtilMouseKeyLogger.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
 * https://code.google.com/p/klog-sharp/
*/

## GetSecureBootPolicy.ps1
function Get-SecureBootPolicy {
<#
.SYNOPSIS

Parses a Secure Boot policy.

.DESCRIPTION

Get-SecureBootPolicy parses either the default, system Secure Boot policy or a policy passed as a byte array. The byte array must be a raw, unsigned policy.

## RDP_Eavesdropping_Hijacking
RDP Eavesdropping and Hijacking
*******************************
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions.  Here is a gist of (semi) interesting findings
that is not very new...

===========
Inspiration
===========
As you may already know...
	//
	// Ref = src
	// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
	//
	// Credits:
	// Vyacheslav Rusakov @swwwolf
	// Tom Bonner @thomas_bonner
	//

	#include <Windows.h>
	function Get-PublicKey
	{
	[OutputType([byte[]])]
	PARAM (
	[Uri]$Uri
	)

	if (-Not ($uri.Scheme -eq "https"))
	{
	Write-Error "You can only get keys for https addresses"
	admin account info" filetype:log
	!Host=. intext:enc_UserPassword=* ext:pcf
	"# -FrontPage-" ext:pwd inurl:(service \| authors \| administrators \| users) "# -FrontPage-" inurl:service.pwd
	"AutoCreate=TRUE password=*"
	"http://:@www” domainname
	"index of/" "ws_ftp.ini" "parent directory"
	"liveice configuration file" ext:cfg -site:sourceforge.net
	"parent directory" +proftpdpasswd
	Duclassified" -site:duware.com "DUware All Rights reserved"
	duclassmate" -site:duware.com
	Windows Registry Editor Version 5.00
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
	#region Scriptblocks that will execute upon alert trigger
	$LateralMovementDetected = {
	$Event = $EventArgs.NewEvent

	$EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)

	$MethodName = $Event.MethodName
	$Namespace = $Event.Namespace
	$Object = $Event.ObjectPath
	$User = $Event.User
	# This idea originated from this blog post on Invoke DSC Resources directly:
	# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

	<#
	$MOFContents = @'
	instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
	{
	ResourceID = "[Script]ScriptExample";
	GetScript = "\"$(Get-Date): I am being GET\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	TestScript = "\"$(Get-Date): I am being TESTED\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	using System;
	using System.IO;
	using System.Diagnostics;
	using System.Windows.Forms;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;
	//KeyStroke Mouse Clicks Code
	/*
	* https://code.google.com/p/klog-sharp/
	*/
	function Get-SecureBootPolicy {
	<#
	.SYNOPSIS

	Parses a Secure Boot policy.

	.DESCRIPTION

	Get-SecureBootPolicy parses either the default, system Secure Boot policy or a policy passed as a byte array. The byte array must be a raw, unsigned policy.
	RDP Eavesdropping and Hijacking
	*******************************
	I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings
	that is not very new...

	===========
	Inspiration
	===========
	As you may already know...