MrThreat

rule lnkfileoverRFC
{
    strings:
        $header = {4c00 0000 0114 0200 0000} //lnk file header
        $command = "C:\\Windows\\System32\\cmd.exe" fullword ascii //cmd is precursor to findstr
        $command2 =  {2F 00 63 00 20 00 66 00 69 00 6E 00 64 00 73 00 74 00 72} //findstr in hex
        $base64 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD" ascii //some base64 filler, needed to work with routine
        $cert = "l -decode" ascii //base64 decoder
    condition:
        filesize > 15KB and ($header at 0) and $command and $command2 and $cert and $base64

MrThreat

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
 "DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]

MrThreat

grep pattern files – Search for the pattern in files

grep -r pattern dir – Search recursively for the pattern in dir

command | grep pattern – Search for the pattern in the output of the command

locate file – Find all instances of the file

find / -name filename – Starting with the root directory, look for the file called filename

MrThreat

rule Rodden
{
meta:
	author = "Grotez"
	date = "2017-10-18"
	description = "datenight"
	hash0 = "e523f6c34f9cb9a3652d1fad38b2329b"
	sample_filetype = "exe"
	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:

MrThreat

rule Roddendoc
{
meta:
	author = "Grotez"
	date = "2017-10-18"
	description = "datenight"
	hash0 = "707feb462bc1845b66eb137f517858a8"
	sample_filetype = "office"
	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:

MrThreat

#!/bin/bash
#simple pcap extractor for malware analysis
#@grotezinfosec
#arguments passed
pcap=$1
clear
if [[ $# -lt 1 ]] ; then
    echo "========================"
    echo "=        Usage         ="
    echo "=./pcap_check PCAP-FILE="

MrThreat

# yaragen Dockerfile
#
# make sure to have this file called "Dockerfile" without quotes.
# docker build -t yaragen .
# docker run --rm -ti yaragen -h

# Pull the base image.
FROM ubuntu:16.04

# Install pre-requisites.

MrThreat

<#
For peerlyst @grotezinfosec
Requires powershelgl 3.0
If your running nix* use:
curl http://freegeoip.net/xml/

OR

Powershell V2 (flare VM [malware analysis]
(new-object System.Net.WebClient).DownloadString("http://freegeoip.net/xml/")

MrThreat

#!/bin/bash
domain=$1
location=$2
if [[ $# -eq 0 ]] ; then
echo '-------------------------------'    
echo 'please supply url, e.g C2'
echo '-------------------------------'
    exit 0
fi
if [[ $# -eq 1 ]] ; then

MrThreat

apt-get update && apt-get autoclean -y && apt-get clean -y && apt-get autoremove -y
find /tmp -ctime +10 -exec rm -rf {} +
apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
apt-get update && apt-get autoclean -y && apt-get clean -y && apt-get autoremove -y