| Regex | Source | |
|---|---|---|
| MSSE-[0-9a-f]{3}-server | Default Cobalt Strike Artifact Kit binaries | |
| status_[0-9a-f]{2} | Default psexec_psh | |
| postex_ssh_[0-9a-f]{4} | Default SSH beacon | |
| msagent_[0-9a-f]{2} | Default SMB beacon | |
| postex_[0-9a-f]{4} | Default Post Exploitation job (v4.2+) | |
| mojo.5688.8052.183894939787088877[0-9a-f]{2} | jquery-c2.4.2.profile | |
| mojo.5688.8052.35780273329370473[0-9a-f]{2} | jquery-c2.4.2.profile | |
| wkssvc[0-9a-f]{2} | jquery-c2.4.2.profile | |
| ntsvcs[0-9a-f]{2} | trick_ryuk.profile |
| x64_config_spawn_to_x64 | count | |
|---|---|---|
| %windir%\sysnative\RuntimeBroker.exe | 2 | |
| %windir%\sysnative\WUAUCLT.exe | 3 | |
| %windir%\sysnative\WerFault.exe | 7 | |
| %windir%\sysnative\adobe64.exe | 1 | |
| %windir%\sysnative\cmstp.exe | 1 | |
| %windir%\sysnative\dllhost.exe | 14 | |
| %windir%\sysnative\dllhost.exe -o enable | 1 | |
| %windir%\sysnative\eventvwr.exe | 1 | |
| %windir%\sysnative\gpresult.exe | 2 |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $wc = New-Object System.Net.WebClient | |
| if (!(Test-Path "C:\Tools")) { | |
| New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
| } | |
| # SYSMON | |
| # Download Sysmon | |
| $SysmonDirectory = "C:\Tools\Sysmon\" |
| import argparse | |
| import yara | |
| from colorama import init, Fore, Back, Style | |
| init() | |
| args_parser = argparse.ArgumentParser() | |
| args_parser.add_argument('-f', '--file', help='cobaltstrike shellcode exe file', type=str, required=True) | |
| args_parser.add_argument('-o', '--out', help='output file', type=str, required=False) | |
| args = args_parser.parse_args() |
Step 1) Start an AMSI ETW trace from an elevated command prompt
logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets
Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads
Step 3) Stop the AMSI trace
| ########## | |
| # Tweaked Win10 Initial Setup Script | |
| # Primary Author: Disassembler <disassembler@dasm.cz> | |
| # Primary Author Source: https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| # Tweaked Source: https://gist.github.com/alirobe/7f3b34ad89a159e6daa1/ | |
| # | |
| # If you're a power user looking to tweak your machinea, or doing larger roll-out.. | |
| # Use the @Disassembler0 script instead. It'll probably be more up-to-date than mine: | |
| # https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| # |
| # A script that will safely remove adversary footholds on systems. | |
| # | |
| # Be sure to replace your observables down below. Be careful not to | |
| # included LOLBINs as they cannot be safely killed this way. Use | |
| # Kill-Threads.ps1 for those. | |
| # | |
| # Used with great success during CF20 | |
| # | |
| # Author: Eric Capuano |
| name: Custom.Winlogbeat.Deploy | |
| description: | | |
| Quick and dirty way to deploy Winlogbeat via Velociraptor | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT | |
| parameters: | |
| - name: binaryURL | |
| default: http://url.to/winlogbeat.exe | |
| - name: installPath | |
| default: C:\Program Files\winlogbeat |
| name: Custom.CapsSysmon.Deploy | |
| description: | | |
| A quick and dirty way to download and install sysmon via Velociraptor | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT | |
| parameters: | |
| - name: sysmonURL | |
| default: http://url.to/sysmon8_64.exe | |
| - name: binPath | |
| default: C:\sysmon.exe |
