Zander Work captainGeech42

## vnc.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                captainGeech42
                / vnc.md
            
            
              Last active
              April 14, 2024 14:10
            
              
                Setup VNC on Ubuntu Server
              
          
    Install a window manager, XFCE is my preference for VNC setups.
$ sudo apt install xubuntu-desktop tightvncserver
$ sudo reboot

Next, configure the VNC session behavior. vncpasswd interactively prompts for a password, its different than the user password, and hashed into ~/.vnc/passwd.
$ mkdir ~/.vnc


## csv-cli.py
#!/usr/bin/env python3

"""
A script to output tabular data from a Storm query. Stormfile queries must emit data via $lib.csv.emit()

Based on Synapse's csvtool
    source: https://github.com/vertexproject/synapse/blob/master/synapse/tools/csvtool.py
"""

import argparse

## ctf_patch.py
IMPORTS_TO_PATCH = [
    "alarm",
    "ptrace"
]

# iterate over imported symbols
for import_sym in bv.get_symbols_of_type(SymbolType.ImportedFunctionSymbol):
    # check if symbol is in the patch list
    if import_sym.name in IMPORTS_TO_PATCH:
        log.log_info(f"patching out call to {import_sym.name}")

## otpboi.py
#!/usr/bin/env python3

# script for managing OTP codes. requires py3.6+
# secrets can optionally be encrypted at rest with pbkdf2/chacha20
# uses a sqlite database for storing data
# to run tests: python -m pytest otpboi.py

import argparse
import base64
import binascii

## pe_load_getproc.yara
import "pe"

rule Methodology_PE_LoadLibraryGetProcAddrOnly {
    meta:
        date = "2022-04-18"
        author = "Zander Work (@captainGeech42)"
        ref = "80ecb9e09772f5c54b2c02519ed68883"
        desc = "Look for binaries with only LoadLibrary* and GetProcAddress imports. Not necessarily a sign of maliciousness, but worth looking into probably."
    condition:
        pe.is_pe and pe.number_of_imported_functions == 2 and

## no_manifest.yara
import "pe"

rule Feature_PE_NoManifest {
    meta:
        date = "2022-03-13"
        author = "Zander Work (@captainGeech42)"
        descr = "Look for PE files that don't have a manifest. This could be indicative of malicious files trying to reduce their footprint."
        notes = "When building a binary with MSVC, the manifest can be disabled by passing /MANIFEST:NO to link.exe. By default, a manifest is generated when compiling via Visual Studio."
        ref_manifest = "https://gist.github.com/captainGeech42/5e0bf655d048a562336ce99eea23dccc"
        ref_sample = "ade0b06ef992926f5e5c80b69af19a70"

## scriptobf_replaceempty.yara
rule Methodology_ScriptObf_ReplaceEmpty {
    meta:
        author = "Zander Work (@captainGeech42)"
        descr = "Detects the use of string.Replace() or similar, where the replacement string is an empty string. This is a common technique for basic script obfuscation."
    strings:
        // doesn't hit on the search string being passed in as a variable FYSA
        $re1 = /replace\(["'].*["'], ["']["']\)/ nocase // catches basic usage in at least python and powershell
        $re2 = /replace\(["'].*["'], ["']["'], \d+\)/ // python str.replace has an optional third argument, a number. this only catches a decimal number fysa
        $re3 = /replace\(\/.*\/\w*, ["']["']\)/ // javascript String.prototype.replace can take a regex pattern for the first argument
        $re4 = /replace\(\w+, ["'].*["'], ["']["']/ nocase // vbscript replace takes at least 3 arguments: var to replace in, search string, replacement string. there are three more optional args

## gen_qtypes.py
# https://github.com/miekg/dns/blob/master/types.go#L27

with open("in", "r") as f:
    lines = [x.strip() for x in f.readlines()]

for l in lines:
    parts = l.split("uint16 = ")
    type = parts[0].strip()[4:]
    val = parts[1]

## export_ctftime.py
#!/usr/bin/env python3

import requests
import sys

# use an account with bit 1<<2 set (put 7 for ultimate laziness)

BASE_URL = "https://damctf.xyz"
TEAM_TOKEN = "redacted" # the thing from the url on the team profile page

## powershell_parser.kql
let EventData = Event
| where Source == "Microsoft-Windows-PowerShell"
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| project TimeGenerated,
    Source,
    EventID,
    Computer,
    UserName,
    EventData,
    RenderedDescription
	#!/usr/bin/env python3

	"""
	A script to output tabular data from a Storm query. Stormfile queries must emit data via $lib.csv.emit()

	Based on Synapse's csvtool
	source: https://github.com/vertexproject/synapse/blob/master/synapse/tools/csvtool.py
	"""

	import argparse
	IMPORTS_TO_PATCH = [
	"alarm",
	"ptrace"
	]

	# iterate over imported symbols
	for import_sym in bv.get_symbols_of_type(SymbolType.ImportedFunctionSymbol):
	# check if symbol is in the patch list
	if import_sym.name in IMPORTS_TO_PATCH:
	log.log_info(f"patching out call to {import_sym.name}")
	#!/usr/bin/env python3

	# script for managing OTP codes. requires py3.6+
	# secrets can optionally be encrypted at rest with pbkdf2/chacha20
	# uses a sqlite database for storing data
	# to run tests: python -m pytest otpboi.py

	import argparse
	import base64
	import binascii
	import "pe"

	rule Methodology_PE_LoadLibraryGetProcAddrOnly {
	meta:
	date = "2022-04-18"
	author = "Zander Work (@captainGeech42)"
	ref = "80ecb9e09772f5c54b2c02519ed68883"
	desc = "Look for binaries with only LoadLibrary* and GetProcAddress imports. Not necessarily a sign of maliciousness, but worth looking into probably."
	condition:
	pe.is_pe and pe.number_of_imported_functions == 2 and
	import "pe"

	rule Feature_PE_NoManifest {
	meta:
	date = "2022-03-13"
	author = "Zander Work (@captainGeech42)"
	descr = "Look for PE files that don't have a manifest. This could be indicative of malicious files trying to reduce their footprint."
	notes = "When building a binary with MSVC, the manifest can be disabled by passing /MANIFEST:NO to link.exe. By default, a manifest is generated when compiling via Visual Studio."
	ref_manifest = "https://gist.github.com/captainGeech42/5e0bf655d048a562336ce99eea23dccc"
	ref_sample = "ade0b06ef992926f5e5c80b69af19a70"
	rule Methodology_ScriptObf_ReplaceEmpty {
	meta:
	author = "Zander Work (@captainGeech42)"
	descr = "Detects the use of string.Replace() or similar, where the replacement string is an empty string. This is a common technique for basic script obfuscation."
	strings:
	// doesn't hit on the search string being passed in as a variable FYSA
	$re1 = /replace\(["'].*["'], ["']["']\)/ nocase // catches basic usage in at least python and powershell
	$re2 = /replace\(["'].*["'], ["']["'], \d+\)/ // python str.replace has an optional third argument, a number. this only catches a decimal number fysa
	$re3 = /replace\(\/.\/\w, ["']["']\)/ // javascript String.prototype.replace can take a regex pattern for the first argument
	$re4 = /replace\(\w+, ["'].*["'], ["']["']/ nocase // vbscript replace takes at least 3 arguments: var to replace in, search string, replacement string. there are three more optional args
	# https://github.com/miekg/dns/blob/master/types.go#L27

	with open("in", "r") as f:
	lines = [x.strip() for x in f.readlines()]

	for l in lines:
	parts = l.split("uint16 = ")
	type = parts[0].strip()[4:]
	val = parts[1]
	#!/usr/bin/env python3

	import requests
	import sys

	# use an account with bit 1<<2 set (put 7 for ultimate laziness)

	BASE_URL = "https://damctf.xyz"
	TEAM_TOKEN = "redacted" # the thing from the url on the team profile page
	let EventData = Event
	\| where Source == "Microsoft-Windows-PowerShell"
	\| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
	\| project TimeGenerated,
	Source,
	EventID,
	Computer,
	UserName,
	EventData,
	RenderedDescription