Skip to content

Instantly share code, notes, and snippets.

caseysmithrc

Block or report user

Report or block caseysmithrc

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@caseysmithrc
caseysmithrc / sysmonconfig.xml
Created May 19, 2019
Sample Config Sysmon, Focusing on Process Access
View sysmonconfig.xml
<Sysmon schemaversion="4.10">
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<ProcessCreate onmatch="exclude" />
<FileCreateTime onmatch="include" />
<NetworkConnect onmatch="include" />
<ProcessTerminate onmatch="include" />
<DriverLoad onmatch="include" />
<ImageLoad onmatch="include" />
<CreateRemoteThread onmatch="include" />
@caseysmithrc
caseysmithrc / _commands.txt
Created May 18, 2019
Basic PoC JavaScript Keylogger Example
View _commands.txt
php -S localhost:9000
@caseysmithrc
caseysmithrc / T1117.yaml
Created May 17, 2019
Atomic Red Team Example
View T1117.yaml
---
attack_technique: T1117
display_name: Regsvr32
atomic_tests:
- name: Regsvr32 local COM scriptlet execution
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls
supported_platforms:
- windows
input_arguments:
@caseysmithrc
caseysmithrc / crossproc-gadget.cs
Last active May 16, 2019
Cross Process , Process Access Example
View crossproc-gadget.cs
/*
To run:
1. Compile code - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe crossproc-gadget.cs
2. Usage: cpgadget.exe 4444 4096
(where pid and premissions are both integers)
Author: Casey Smith, Twitter: @subTee
@caseysmithrc
caseysmithrc / datasources.csv
Created May 15, 2019
MITRE - Updated Data Source Analysis
View datasources.csv
T1156 File monitoring
T1156 Process monitoring
T1156 Process command-line parameters
T1156 Process use of network
T1134 API monitoring
T1134 Access tokens
T1134 Process monitoring
T1134 Process command-line parameters
T1015 Windows Registry
T1015 File monitoring
View gethelp.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View test_chain_reaction.ps1
Import-Module .\execution-frameworks\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam\Invoke-AtomicRedTeam.psm1
$G0007 = @("T1002","T1003","T1005","T1014","T1027","T1037","T1040","T1056","T1057","T1059","T1064","T1070","T1071","T1074","T1075","T1083","T1085","T1086","T1090"
,"T1099","T1105","T1107","T1113","T1114","T1119","T1122","T1134","T1137","T1140","T1158","T1173" )
foreach ($technique in $G0007)
{
try
{
New-Variable -Name "$technique" -Value (Get-AtomicTechnique ".\atomics\$technique\$technique.yaml")
}
catch {}
@caseysmithrc
caseysmithrc / Invoke-NinjaCopy.ps1
Created Apr 26, 2019
Invoke-NinjaCopy - Minor Update to fix Ambiguous Reference
View Invoke-NinjaCopy.ps1
function Invoke-NinjaCopy
{
<#
.SYNOPSIS
This script can copy files off an NTFS volume by opening a read handle to the entire volume (such as c:) and parsing the NTFS structures. This requires you
are an administrator of the server. This allows you to bypass the following protections:
1. Files which are opened by a process and cannot be opened by other processes, such as the NTDS.dit file or SYSTEM registry hives
2. SACL flag set on a file to alert when the file is opened (I'm not using a Win32 API to open the file, so Windows has no clue)
3. Bypass DACL's, such as a DACL which only allows SYSTEM to open a file
@caseysmithrc
caseysmithrc / Get-InjectedThread.ps1
Created Apr 22, 2019 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@caseysmithrc
caseysmithrc / TestMSHTAShellcodeDelivery.ps1
Last active May 15, 2019
MSHTA Test For Defenders - hosts hta in PowerShell, connected remotely and execute.
View TestMSHTAShellcodeDelivery.ps1
<#
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
To change your server, simply find and replace 192.168.1.1 with your server in the code.
#>
<#
Moving Credtis for CACTUSTORCH HERE
I was in escape sequcence hell ;-)
' ( ) ( )
You can’t perform that action at this time.