Skip to content

Instantly share code, notes, and snippets.

MHaggis / HVC_LOLDrivers_check_csv.ps1
Created November 21, 2023 02:44
Based on Trail of Bits HVCI LOLDrivers Check script - just outputs to csv
View HVC_LOLDrivers_check_csv.ps1
Compares the HVCI block list on the current system against the list of
vulnerable and malicious drivers from
Company: Trail of Bits
Author: Michael Lin
Contributors: Yarden Shafir
License: Apache 2
MHaggis / T1059.yaml
Created November 8, 2023 18:22
You will need to create the T1059 folder in Atomics directory. Save this as a new yaml in that dir. A second folder under T1059 will be src. place the au3 file there.
View T1059.yaml
attack_technique: T1059
display_name: Command and Scripting Interpreter
- name: AutoIt Message Box Test with Download and Extract
description: |
Downloads AutoIt to the temporary directory, extracts it, and executes an AutoIt script that shows a message box.
- windows
View T1562.001.yaml
- name: Enable Dev Drive With Disabled AV Using Fsutil
description: |
This test simulates an adversary enabling a Developer Drive using fsutil.exe with arguments that disable antivirus (AV) on the created drive.
This technique requires administrative privileges and is relevant for Windows 11 environments starting with Build #10.0.22621.2338 or later.
The execution of this command should be closely monitored and flagged in production environments.
Ref. and
- windows
View F5 TMUI Exploitation

my fav one:

| tstats count from datamodel=Web.Web where 
    Web.url="*/tmui/system/user/create*" OR 
    Web.url="*/tmui/system/user/list*" OR 
    Web.url="*mgmt/tm/util/bash*" OR 
    Web.url="*/tmui/login.jsp" OR 
    Web.url="*/mgmt/shared/authn/login" OR 
MHaggis /
Created October 31, 2023 18:12
You'll prob need to change line 6 or make a logs dir.
from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime
import logging
current_datetime ='%Y%m%d_%H%M%S')
log_file_name = f'logs/app_{current_datetime}.log'
class EmulatedServer(BaseHTTPRequestHandler):
MHaggis / T1547.yaml
Created October 18, 2023 15:23
Atomic Red Team
View T1547.yaml
- name: 'HKCU - Add Registry Key Under CurrentVersion\Windows'
description: |
This test attempts to add a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
which points to a potential payload "calc.exe". This can be indicative of an attacker trying to achieve persistence or other malicious objectives.
- windows
View T1553.003.yaml
attack_technique: T1553.003
display_name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
- name: SIP (Subject Interface Package) Hijacking via Custom DLL
auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
description: |
Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from and registers it using regsvr32, thereby causing
the system to utilize it during signature checks, and logging said checks.
MHaggis /
Created October 10, 2023 19:47
Inventory SIP

Place in inputs.conf and watch the SIP roll in.

# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
script = $registryPaths = @("HKLM:\SOFTWARE\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1"); $registryPaths | ForEach-Object {Get-ChildItem -Recurse $_ | ForEach-Object {$key=$_; $props=$key.GetValueNames(); $propDataPairs=@{}; for ($i=0; $i -lt $props.Length; $i++) {$propDataPairs[$props[$i]]=$key.GetValue($props[$i])}; $outputObj=[PSCustomObject]@{Path=$key.PSPath;PSChildName=$key.PSChildName}; $propDataPairs.GetEnumerator() | ForEach-Object {Add-Member -InputObject $outputObj -NotePropertyName $_.Name -NotePropertyValue $_.Val
View T1218.yaml
- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
description: |
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
Registry keys are deleted after successful execution.
- windows
command: |
MHaggis / T1574.001.yaml
Created September 20, 2023 14:40
#AtomicWednesdays T1574.001 - PrintDemon
View T1574.001.yaml
- name: PrintDemon
description: |
Atomic Test to emulate PrintDemon.
Also seen on TryHackme -
- windows
description: File path for ualapi.dll