Skip to content

Instantly share code, notes, and snippets.

View GlobalFlags in Image File Execution Options.yml
- name: GlobalFlags in Image File Execution Options
description: |
The following Atomic Test will create a GlobalFlag key under Image File Execution Options, also a SilentProcessExit Key with ReportingMode and MonitorProcess values. This test is similar to a recent CanaryToken that will generate an EventCode 3000 in the Application log when a command, whoami.exe for example, is executed.
Upon running Whoami.exe, a command shell will spawn and start calc.exe based on the MonitorProcess value.
Upon successful execution, powershell will modify the registry and spawn calc.exe. An event 3000 will generate in the Application log.
supported_platforms:
- windows
input_arguments:
process:
description: |
@MHaggis
MHaggis / get_cmdline.reg
Created Sep 8, 2022 — forked from thinkst-cs/get_cmdline.reg
Monitoring Silent Process Exit
View get_cmdline.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\nltest.exe]
"ReportingMode"=dword:00000001
"MonitorProcess"="powershell.exe -Command \"Get-WmiObject win32_process -Filter 'ProcessID = %e' | select CreationDate,ProcessId,CommandLine >> C:\\\\Test\\\\Logcmdline.txt\""
View Top 20.md
dat	20291
tmp	10652
vlpset	5777
TMP	5444
sbstore	3438
sqlite-shm	2409
sqlite-wal	2409
metadata	1647
txt	1402
View html-smuggling-example.html
<!doctype html>
<html>
<head>
<meta name="viewport" content="width=device-width" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Simple Transactional Email</title>
<style>
/* -------------------------------------
GLOBAL RESETS
------------------------------------- */
@MHaggis
MHaggis / handlers
Created Jun 2, 2022
Get-Item Registry::HKEY_CLASSES_ROOT\* | Select-Object "Property","PSChildName" | Where-Object -Property Property -Match "^URL*" | Export-Csv -path c:\temp\url_all.csv
View handlers
bingmaps
calculator
callto
conf
DLNA-PLAYSINGLE
Explorer.AssocActionId.BurnSelection
Explorer.AssocActionId.EraseDisc
Explorer.AssocActionId.ZipSelection
Explorer.AssocProtocol.search-ms
Explorer.BurnSelection
View goot
{"timestamp": 1650905020.112615, "nmap_cmd": "/usr/local/bin/nmap -p 443 --script /home/ubuntu/melting-cobalt/grab_beacon_config.nse -vv -d -n -T5 -oX - 146.70.78.43", "ip": "146.70.78.43", "port": "443", "protocol": "tcp", "service": "https", "hostnames": null, "x64_sha1": "02ad4534451e12aaaf1d2475d9fb6bf82f97dd80", "x64_sha256": "eb8893e466b4790e6e7504da48c77af6ab2dbc3be45e037e69d39e84642a66b5", "x64_md5": "e1bd2424ea594e55f566ef10a63bd360", "x86_sha1": "d6cb1bea69a5768a6e2c95dc3f3a1d7dbb1cab3c", "x86_sha256": "ee410f1ebf4f6107bdfcf8f507e6f20527b8ea57b8abadf606884abb4cb2b523", "x86_md5": "674cc7b8fd653c9c4c97b800d5eaf032", "x64_config_method_1": "GET", "x64_config_method_2": "POST", "x64_config_port": 443, "x64_config_spawn_to_x64": "%windir%\\sysnative\\rundll32.exe", "x64_config_spawn_to_x86": "%windir%\\syswow64\\rundll32.exe", "x64_config_jitter": 0, "watermark": 1580103824, "c2_host_header": "", "x64_config_polling": 60000, "x64_config_c2_server": ["146.70.78.43/fwlink"], "x64_config_beacon_type": "8 (
View schtask_sd_delete_atomic.md

Install Atomic and ATH

    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord  
    IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
    Install-AtomicRedTeam -getAtomics -force

    Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
@MHaggis
MHaggis / RemoteCertTrust.ps1
Created Mar 31, 2022 — forked from mattifestation/RemoteCertTrust.ps1
An example weaponization of trusting a cloned MSFT root CA certificate by installing directly into the registry
View RemoteCertTrust.ps1
$CertThumbprint = '1F3D38F280635F275BE92B87CF83E40E40458400'
$EncodedCertBlob = 'BAAAAAEAAAAQAAAAgaT+C9ETBIfHkH5Zi2eoqw8AAAABAAAAIAAAAK7pIm4Ori+vdX436CAjk55T8gJEI7WBW1muIpb8dcC8FAAAAAEAAAAUAAAAAIZxjuuFqSJSqIzGDU9d5gKzHTAZAAAAAQAAABAAAADSxnNDC24NyPBSKJlFvtVeAwAAAAEAAAAUAAAAHz048oBjXydb6SuHz4PkDkBFhABcAAAAAQAAAAQAAAAAEAAAWQAAAAEAAAAWAAAAUgBTAEEALwBTAEgAQQAyADUANgAAACAAAAABAAAA3wUAADCCBdswggPDoAMCAQICEFJ2FzbupEWBQkU+LXP6ibIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTE3MTIwMTIxNTUxNFoXDTQyMTIwMTA1MDYzN1owgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzSRYTzEnnwmvABZcLTj5H+xw1ulaHN2DJGwwKt77hrM8BcsJ/AdVY7EAf0QGqvV94QuDf5ENxihl59E6WMT5O5SRHcCQweVs0PHMhlw3qbEx7iiUr7HusyUiOA6
View daxin.md

sigcheck64.exe -accepteula -nobanner -c


Path,Verified,Date,Publisher,Company,Description,Product,Product Version,File Version,Machine Type
"c:\users\administrator\desktop\5400414768496640\06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4","A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.","11:59 PM 11/27/2013","Anhua Xinda (Beijing) Technology Co., Ltd.","Microsoft Corporation","WAN Transport Driver","Microsoft Windows Operating System","6.1.7600.1172","6.1.7600.1172","64-bit"
"c:\users\administrator\desktop\5400414768496640\0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555","A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.","1:03 AM 9/3/2019","Anhua Xinda (Beijing) Technology Co., Ltd.","Microsoft Corporation","MS LAN Driver","Microsoft« Windows« Operating System","6.1.7600.16385"
@MHaggis
MHaggis / sc.js
Created Feb 2, 2022
DynamicWrapperX - Register Code Example
View sc.js
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
// Test
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';