I hereby claim:
- I am mhaggis on github.
- I am mhaggis (https://keybase.io/mhaggis) on keybase.
- I have a public key whose fingerprint is FDB2 37EB CB74 CDB8 509B F1F6 DBDE 16A6 A0D4 DB9D
To claim this, I am signing this object:
MHaggis
/ Cryptolocker in Memory
Created
August 23, 2014 16:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jjj | |
| jjj | |
| jjjj | |
| jjjj | |
| jjjj | |
| jjjj | |
| jjjj | |
| Ajj | |
| jjj | |
| jjjj |
MHaggis
/ keybase.md
Created
May 27, 2016 03:11
MHaggis
/ backdoor.sct
Created
January 28, 2017 15:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{20001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll --> |
MHaggis
/ config-a.xml
Created
February 14, 2017 20:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="3.20"> | |
| <HashAlgorithms>md5,imphash</HashAlgorithms> | |
| <EventFiltering> | |
| <ProcessCreate onmatch="include"> | |
| <Image condition="contains">cmd.exe</Image> | |
| <Image condition="contains">powershell.exe</Image> | |
| <Image condition="contains">wmic.exe</Image> | |
| <Image condition="contains">cscirpt.exe</Image> | |
| <Image condition="contains">wscript.exe</Image> | |
| <Image condition="contains">net.exe</Image> |
MHaggis
/ SwiftOnSecurity-Config.xml
Created
February 14, 2017 20:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| sysmon-config | A sysmon configuration for everyone | |
| Public Version: 30 | |
| By @SwiftOnSecurity, with contributors credited in-line or on Git | |
| https://github.com/SwiftOnSecurity/sysmon-config | |
| Required Sysmon version: 5.02 | |
| https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx | |
| NOTE: There is best-effort support for 32-bit systems, but it's not a test scenario and will require your own tuning. |
MHaggis
/ applocker.xml
Created
May 4, 2017 17:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <AppLockerPolicy Version="1"> | |
| <RuleCollection Type="Appx" EnforcementMode="NotConfigured" /> | |
| <RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> | |
| <RuleCollection Type="Exe" EnforcementMode="AuditOnly" /> | |
| <RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> | |
| <RuleCollection Type="Script" EnforcementMode="NotConfigured"> | |
| <FilePathRule Id="02cc3f4e-9ecb-4962-a7a0-830e889da641" Name="%OSDRIVE%\Users\%USERPROFILE%\Appdata\roaming\*.js" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> | |
| <Conditions> | |
| <FilePathCondition Path="%OSDRIVE%\Users\%USERPROFILE%\Appdata\roaming\*.js" /> | |
| </Conditions> |
MHaggis
/ ransomware.json
Last active
May 15, 2017 22:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "wmic": { | |
| "process_name": ["wmic.exe"], | |
| "cmdline": ["wmic shadowcopy delete"] | |
| }, | |
| "Vssadmin": { | |
| "process_name": ["vssadmin.exe"], | |
| "cmdline": ["vssadmin delete shadows /all /quiet"] | |
| }, | |
| "bcdedit": { |
MHaggis
/ file-sharing-and-backup.json
Created
May 31, 2017 15:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Backblaze": { | |
| "process_name": ["bztransmit.exe"] | |
| }, | |
| "Box": { | |
| "process_name": ["boxsync.exe", | |
| "boxsyncmonitor.exe", | |
| "syncupdaterservice.exe"] | |
| }, | |
| "Carbonite": { |
MHaggis
/ CB ingress events list
Created
September 21, 2017 16:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ingress.event.process | |
| # ingress.event.procstart | |
| # ingress.event.netconn | |
| # ingress.event.procend | |
| # ingress.event.childproc | |
| # ingress.event.moduleload | |
| # ingress.event.module | |
| # ingress.event.filemod | |
| # ingress.event.regmod | |
| # ingress.event.tamper |
MHaggis
/ What I Recommend for CB event forwarder
Created
September 21, 2017 16:57
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ingress.event.procstart | |
| # ingress.event.netconn | |
| # ingress.event.processblock | |
| # ingress.event.emetmitigation | |
| # watchlist.hit.process | |
| # watchlist.hit.binary | |
| # watchlist.storage.hit.process | |
| # watchlist.storage.hit.binary |
OlderNewer