Skip to content

Instantly share code, notes, and snippets.

Avatar
🍻
Working from home

Roberto Rodriguez Cyb3rWard0g

🍻
Working from home
View GitHub Profile
View evals_table_jinja.md

Free Telemetry Report

Step Procedure Criteria Technique Detections
{% for s in renderyaml %} {{s['step']}} {{s['procedure']}} {{s['criteria']}} {{s['technique']['name']}}
{% endfor %}
View create_table_report.py
from jinja2 import Template
import copy
import yaml
import glob
from os import path
print("[+] Processing files inside {} directory".format('../docs/evals/apt29/steps'))
# ******** Open every forge yaml file available ****************
print("[+] Opening report yaml files..")
yaml_files = sorted(glob.glob(path.join(path.dirname(__file__), '../docs/evals/apt29/steps', "*.yaml")), key=lambda x: (int(path.basename(x).split(".")[0]), str(path.basename(x).split(".")[1]), int(path.basename(x).split(".")[2].split("_")[0])))
View 3_B_2_Bypass_User_Account_Control.yaml
vendor: OTR Community
step: 3.B.2
procedure: Executed elevated PowerShell payload
criteria: High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
technique:
name: Bypass User Account Control
id: T1088
issue: https://github.com/OTRF/detection-hackathon-apt29/issues/6
detections:
- main_type: Telemetry
View audit_rule_microphone_webcam_access.md

Clone Set-Audit Rule Project

git clone https://github.com/OTRF/Set-AuditRule
cd Set-AuditRule

Create Rule

View win_camera_microphone_access.yml
title: Processes Accessing the microphone and webcam
id: 29976992-e6d6-4fce-8f9d-e7b9be4efbb6
status: experimental
description: Potential adversaries accessing the microphone and webcam in an endpoint.
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
tags:
View COMPlus_ETWEnabled_detection_notes.md

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
  • Windows
View seatbelt_wmi_query_strings_basic_exploration.txt
SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')"
SELECT * FROM win32_networkconnection"
Select * from Win32_ComputerSystem"
SELECT * FROM Win32_DeviceGuard"
SELECT * FROM win32_service"
SELECT * FROM AntiVirusProduct"
SELECT * FROM MSFT_DNSClientCache"
SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"
SELECT * FROM Win32_Process"
SELECT * FROM Win32_Process WHERE SessionID != 0"
View seatbelt_appdata_basic_exploration.txt
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Roaming\\gcloud\\credentials.db"
View seatbelt_registry_basic_exploration.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"
View talk-stream-time.md