Skip to content

Instantly share code, notes, and snippets.

@MHaggis
MHaggis / HVC_LOLDrivers_check_csv.ps1
Created November 21, 2023 02:44
Based on Trail of Bits HVCI LOLDrivers Check script - just outputs to csv
View HVC_LOLDrivers_check_csv.ps1
<#
.SYNOPSIS
Compares the HVCI block list on the current system against the list of
vulnerable and malicious drivers from loldrivers.io
Company: Trail of Bits
Author: Michael Lin
Contributors: Yarden Shafir
License: Apache 2
@MHaggis
MHaggis / T1059.yaml
Created November 8, 2023 18:22
You will need to create the T1059 folder in Atomics directory. Save this as a new yaml in that dir. A second folder under T1059 will be src. place the au3 file there.
View T1059.yaml
attack_technique: T1059
display_name: Command and Scripting Interpreter
atomic_tests:
- name: AutoIt Message Box Test with Download and Extract
description: |
Downloads AutoIt to the temporary directory, extracts it, and executes an AutoIt script that shows a message box.
supported_platforms:
- windows
input_arguments:
autoit_script_path:
View T1562.001.yaml
- name: Enable Dev Drive With Disabled AV Using Fsutil
description: |
This test simulates an adversary enabling a Developer Drive using fsutil.exe with arguments that disable antivirus (AV) on the created drive.
This technique requires administrative privileges and is relevant for Windows 11 environments starting with Build #10.0.22621.2338 or later.
The execution of this command should be closely monitored and flagged in production environments.
Ref. https://x.com/0gtweet/status/1720419490519752955?s=20 and https://x.com/Kostastsale/status/1721271281705001306?s=20
supported_platforms:
- windows
View F5 TMUI Exploitation CVE-2023-46747.md

my fav one:

| tstats count from datamodel=Web.Web where 
    Web.url="*/tmui/system/user/create*" OR 
    Web.url="*/tmui/system/user/list*" OR 
    Web.url="*mgmt/tm/util/bash*" OR 
    Web.url="*/tmui/login.jsp" OR 
    Web.url="*/mgmt/shared/authn/login" OR 
    Web.url="*/mgmt/tm/auth/user/*" 
@MHaggis
MHaggis / HoneyMimiclite.py
Created October 31, 2023 18:12
You'll prob need to change line 6 or make a logs dir.
View HoneyMimiclite.py
from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime
import logging
current_datetime = datetime.now().strftime('%Y%m%d_%H%M%S')
log_file_name = f'logs/app_{current_datetime}.log'
class EmulatedServer(BaseHTTPRequestHandler):
pass
@MHaggis
MHaggis / T1547.yaml
Created October 18, 2023 15:23
Atomic Red Team
View T1547.yaml
- name: 'HKCU - Add Registry Key Under CurrentVersion\Windows'
description: |
This test attempts to add a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
which points to a potential payload "calc.exe". This can be indicative of an attacker trying to achieve persistence or other malicious objectives.
References:
- https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/
- https://persistence-info.github.io/Data/windowsload.html
supported_platforms:
- windows
input_arguments:
View T1553.003.yaml
attack_technique: T1553.003
display_name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
atomic_tests:
- name: SIP (Subject Interface Package) Hijacking via Custom DLL
auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
description: |
Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from
https://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby causing
the system to utilize it during signature checks, and logging said checks.
supported_platforms:
@MHaggis
MHaggis / SIP_inputs.md
Created October 10, 2023 19:47
Inventory SIP
View SIP_inputs.md

Place in inputs.conf and watch the SIP roll in.

# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
[powershell://SubjectInterfacePackage]
script = $registryPaths = @("HKLM:\SOFTWARE\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1"); $registryPaths | ForEach-Object {Get-ChildItem -Recurse $_ | ForEach-Object {$key=$_; $props=$key.GetValueNames(); $propDataPairs=@{}; for ($i=0; $i -lt $props.Length; $i++) {$propDataPairs[$props[$i]]=$key.GetValue($props[$i])}; $outputObj=[PSCustomObject]@{Path=$key.PSPath;PSChildName=$key.PSChildName}; $propDataPairs.GetEnumerator() | ForEach-Object {Add-Member -InputObject $outputObj -NotePropertyName $_.Name -NotePropertyValue $_.Val
View T1218.yaml
- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
description: |
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
- https://twitter.com/0gtweet/status/1674399582162153472
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
Registry keys are deleted after successful execution.
supported_platforms:
- windows
executor:
command: |
@MHaggis
MHaggis / T1574.001.yaml
Created September 20, 2023 14:40
#AtomicWednesdays T1574.001 - PrintDemon
View T1574.001.yaml
- name: PrintDemon
description: |
Atomic Test to emulate PrintDemon.
[Reference](https://github.com/BC-SECURITY/Invoke-PrintDemon)
Also seen on TryHackme - https://tryhackme.com/room/dllhijacking
supported_platforms:
- windows
input_arguments:
dll_path:
description: File path for ualapi.dll