ajpc500
/ ReflectedDll.c
Created
December 15, 2021 14:39
— forked from Cracked5pider/ReflectedDll.c
Get output from injected reflected dll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //===============================================================================================// | |
| // This is a stub for the actuall functionality of the DLL. | |
| //===============================================================================================// | |
| #include "ReflectiveLoader.h" | |
| #include <stdio.h> | |
| // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are | |
| // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own | |
| // DllMain and use the LoadRemoteLibraryR() API to inject this DLL. |
ajpc500
/ c3_reflective_dll_artefacts.yara
Created
June 16, 2021 20:06
Yara rule to detect C3 shellcode in-memory based on known strings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule C3_reflective_dll_artefact { | |
| meta: | |
| description = "C3 Reflective DLL Artefacts" | |
| author = "ajpc500" | |
| date = "2021-06-09" | |
| strings: | |
| $s1 = "NodeRelayDll_r64.dll" | |
| $s2 = "NodeRelayDll_r86.dll" | |
| $sx = "StartNodeRelay" | |
ajpc500
/ sharpsphere.yara
Created
June 16, 2021 18:17
Yara rule to detect James Coote's (@jkcoote) SharpSphere tool, either on-disk or in-memory.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule SharpSphere { | |
| meta: | |
| description = "Strings in SharpSphere binary." | |
| author = "Alfie Champion (ajpc500)" | |
| date = "2021-06-12" | |
| strings: | |
| $s0 = "SharpSphere" ascii wide | |
| $s1 = "Upload file to target VM" ascii wide | |
| $s2 = "Download file from target VM" ascii wide | |
| $s3 = "[x] Attempting to execute with cmd /c the following command:" wide |
ajpc500
/ log-forwarding-with-etw.ps1
Last active
June 29, 2023 01:31
Quick-and-dirty PowerShell script to install Sysmon (SwiftOnSecurity config), SilkService and Winlogbeat, and forward logs to HELK based on IP set in environment variable "HELK_IP" (see Line 224).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $wc = New-Object System.Net.WebClient | |
| if (!(Test-Path "C:\Tools")) { | |
| New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
| } | |
| # SYSMON | |
| # Download Sysmon | |
| $SysmonDirectory = "C:\Tools\Sysmon\" |
ajpc500
/ binToUUIDs.yara
Created
January 24, 2021 18:04
PoC Yara rule for PE shellcode artefacts in UUIDs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule PEs_converted_to_UUID { | |
| meta: | |
| description = "Loading PE shellcode through UUIDs" | |
| author = "ajpc500" | |
| date = "2021-01-24" | |
| reference_url1 = "https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/" | |
| reference_url2 = "https://gist.github.com/rxwx/c5e0e5bba8c272eb6daa587115ae0014#file-uuid-c" | |
| strings: | |
| // UUIDs for "This program cannot be run in DOS mode" | |
| $s1 = "70207369-6f72-7267-616d-2063616e6e6f" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from uuid import UUID | |
| import os | |
| import sys | |
| # Usage: python3 binToUUIDs.py shellcode.bin [--print] | |
| print(""" | |
| ____ _ _______ _ _ _ _ _____ _____ | |
| | _ \(_) |__ __| | | | | | | |_ _| __ \ | |
| | |_) |_ _ __ | | ___ | | | | | | | | | | | | |___ |