These are are some notes I put together on butchering the rectangular dishy cable.
FOLLOW THESE GUIDELINES AT YOUR OWN RISK. I TAKE NO RESPONSIBILITY FOR ANY DAMAGE OR INJURY YOU SUSTAIN FROM FOLLOWING OR NOT FOLLOWING THESE GUIDELINES.
Rough summary of developing BadRabbit info | |
------------------------------------------ | |
BadRabbit is locally-self-propagating ransomware (ransom: 0.05 BTC), spreading via SMB once inside. | |
Requires user interaction. | |
Mostly targeting Russia and Ukraine so far, with a few others (Germany, Turkey, Bulgaria, Montenegro ...) | |
Not globally self-propagating, but could be inflicted on selected targets on purpose. | |
May be part of same group targeting Ukraine generally (BACKSWING) (per FireEye) | |
Confirmed to use ETERNALROMANCE exploit, and same source code and build chain as NotPetya (per Talos) | |
Mitigations are similar to Petya/NotPetya resistance. An inoculation is also available (see below). |
Get-EventLog -InstanceId 4776 -LogName "Security" | ForEach-Object { | |
$sp = $_.message -split "`n" | |
$tmp = $sp | Select-String -Pattern 'RULER' | |
if($tmp.count -ge 1){ | |
Write-Host "Possible Ruler usage at: " $_.TimeGenerated | |
$sp | Select-String -Pattern 'Logon Account:' | write-host | |
} | |
} |
# Powershell script to bypass UAC on Vista+ assuming | |
# there exists one elevated process on the same desktop. | |
# Technical details in: | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
# https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
# You need to Install-Module NtObjectManager for this to run. | |
Import-Module NtObjectManager |
Product: Sagitta Brutalis 1080 (PN S3480-GTX-1080-2697-128)
Software: Hashcat v3.00-beta-145-g069634a, Nvidia driver 367.18
Accelerator: 8x Nvidia GTX 1080 Founders Edition
# Adapted from https://developers.yubico.com/ykneo-openpgp/ResetApplet.html | |
gpg-connect-agent <<EOF | |
/hex | |
scd serialno | |
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 | |
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 | |
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 | |
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 | |
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 | |
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 |
#region Scriptblocks that will execute upon alert trigger | |
$LateralMovementDetected = { | |
$Event = $EventArgs.NewEvent | |
$EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) | |
$MethodName = $Event.MethodName | |
$Namespace = $Event.Namespace | |
$Object = $Event.ObjectPath | |
$User = $Event.User |
#!/bin/bash | |
set -e # bail on errors | |
# Make sure your shell history isn't saved | |
hsback=$HISTFILE | |
unset HISTFILE | |
echo "Enter you current PIN - leave blank if default:" | |
read oldpin |