Chris Long clong

## gist:b95b7737579a0ec50de9d9342da7af25
$ aws ec2 describe-images --owners 505638924199 --executable-users all
{
    "Images": [
        {
            "Architecture": "x86_64",
            "CreationDate": "2019-03-05T04:27:56.000Z",
            "ImageId": "ami-00ae1022c8a735d81",
            "ImageLocation": "505638924199/import-ami-09eb68f773fab5bf8",
            "ImageType": "machine",
            "Public": true,

## Caldera_Config_Fixer.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2019-03-12T06:13:46.6956561</Date>
    <Author>WEF\vagrant</Author>
    <Description>Grabs the latest config from the Caldera server</Description>
    <URI>\Caldera_Config_Fixer</URI>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger>

## fix-caldera-config.ps1
# This script downloads an updated Caldera config if the one in replace
# is found to not match the one on the server

$tempCalderaCertFromServer = "c:\windows\temp\conf.yml"
$cagentConfPath = "C:\Program Files\cagent\conf.yml"

try {
  [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $tempCalderaCertFromServer)
} catch {
  Write-Host "The Caldera server cannot be reached at this time."

## gist:d977895e2cd7cb9dafef56a951741b8e
{
	"platform": "linux",
	"schedule": {
		"detect_responder": {
			"query": "SELECT * FROM detect_responder;",
			"interval": 10
		}
	}
}

## tty_upgrade.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                clong
                / tty_upgrade.md
            
            
              Created
              April 2, 2018 06:01
            
              
                TTY upgrade
              
          
    Python shell launched and caught:
osquery> select distinct(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port from processes join process_open_sockets using (pid) left outer join process_open_files on processes.pid = process_open_files.pid WHERE (name='Python' OR name='sh' OR name='bash') AND  process_open_files.pid is null;
+-----+--------+--------+-----------------------------------------------------------------------------------------------------+------------+--------------+------+-----+-----+------------+----------------+-------------+
| pid | parent | name   | path                                                                                                | cmdline    | cwd          | root | uid | gid | start_time | remote_address | remote_port |
+-----+--------+--------+------------------------------------------


## fleet_snippet.sh
# Generate a base64 encoded random string with length provided in $1
function generate_random() {
    docker run --rm --entrypoint sh kolide/openssl -c "cat /dev/random | base64 | head -c $1"
}

## gist:43400e931055b29a684e533e248b994d
$ sudo osqueryi --extension osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext  --allow_unsafe --verbose
I1214 15:24:28.376690 3197526976 init.cpp:382] osquery initialized [version=2.10.2]
I1214 15:24:28.376940 3197526976 extensions.cpp:288] Could not autoload extensions: Failed reading: /var/osquery/extensions.load
I1214 15:24:28.378172 153985024 watcher.cpp:563] Created and monitoring extension child (30280): osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext
I1214 15:24:28.378330 155058176 interface.cpp:327] Extension manager service starting: .osquery/shell.em
Connecting to the running osquery instance...
I1214 15:24:28.388691 3197526976 init.cpp:385] osquery extension initialized [sdk=2.10.4]
I1214 15:24:28.391145 156119040 interface.cpp:141] Registering extension (efigy, 42198, version=1.0.0, sdk=2.10.4)
I1214 15:24:28.410346 156119040 registry.cpp:351] Extension 42198 registered table plugin efigy
I1214 15:24:28.412704 56770560 interface.cpp:316] Extension service

## cmd2.c
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "=")!=0;
	r += strstr(cmd, "PATH")!=0;
	r += strstr(cmd, "export")!=0;
	r += strstr(cmd, "/")!=0;
	r += strstr(cmd, "`")!=0;

## cmd1.c
#include <stdio.h>
#include <string.h>

int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "flag")!=0;
	r += strstr(cmd, "sh")!=0;
	r += strstr(cmd, "tmp")!=0;
	return r;
}

## Native-Windows-Useragentss.txt
Invoke-WebRequest:
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066

System.Net.WebClient.DownloadFile():
None

Start-BitsTransfer:
Microsoft BITS/7.8

certutil.exe:
	$ aws ec2 describe-images --owners 505638924199 --executable-users all
	{
	"Images": [
	{
	"Architecture": "x86_64",
	"CreationDate": "2019-03-05T04:27:56.000Z",
	"ImageId": "ami-00ae1022c8a735d81",
	"ImageLocation": "505638924199/import-ami-09eb68f773fab5bf8",
	"ImageType": "machine",
	"Public": true,
	<?xml version="1.0" encoding="UTF-16"?>
	<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
	<Date>2019-03-12T06:13:46.6956561</Date>
	<Author>WEF\vagrant</Author>
	<Description>Grabs the latest config from the Caldera server</Description>
	<URI>\Caldera_Config_Fixer</URI>
	</RegistrationInfo>
	<Triggers>
	<CalendarTrigger>
	# This script downloads an updated Caldera config if the one in replace
	# is found to not match the one on the server

	$tempCalderaCertFromServer = "c:\windows\temp\conf.yml"
	$cagentConfPath = "C:\Program Files\cagent\conf.yml"

	try {
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;(New-Object System.Net.WebClient).DownloadFile('https://logger:8888/conf.yml', $tempCalderaCertFromServer)
	} catch {
	Write-Host "The Caldera server cannot be reached at this time."
	{
	"platform": "linux",
	"schedule": {
	"detect_responder": {
	"query": "SELECT * FROM detect_responder;",
	"interval": 10
	}
	}
	}
	# Generate a base64 encoded random string with length provided in $1
	function generate_random() {
	docker run --rm --entrypoint sh kolide/openssl -c "cat /dev/random \| base64 \| head -c $1"
	}
	$ sudo osqueryi --extension osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext --allow_unsafe --verbose
	I1214 15:24:28.376690 3197526976 init.cpp:382] osquery initialized [version=2.10.2]
	I1214 15:24:28.376940 3197526976 extensions.cpp:288] Could not autoload extensions: Failed reading: /var/osquery/extensions.load
	I1214 15:24:28.378172 153985024 watcher.cpp:563] Created and monitoring extension child (30280): osquery-facebook/build/darwin10.12/external/extension_efigy/efigy.ext
	I1214 15:24:28.378330 155058176 interface.cpp:327] Extension manager service starting: .osquery/shell.em
	Connecting to the running osquery instance...
	I1214 15:24:28.388691 3197526976 init.cpp:385] osquery extension initialized [sdk=2.10.4]
	I1214 15:24:28.391145 156119040 interface.cpp:141] Registering extension (efigy, 42198, version=1.0.0, sdk=2.10.4)
	I1214 15:24:28.410346 156119040 registry.cpp:351] Extension 42198 registered table plugin efigy
	I1214 15:24:28.412704 56770560 interface.cpp:316] Extension service
	#include <stdio.h>
	#include <string.h>

	int filter(char* cmd){
	int r=0;
	r += strstr(cmd, "=")!=0;
	r += strstr(cmd, "PATH")!=0;
	r += strstr(cmd, "export")!=0;
	r += strstr(cmd, "/")!=0;
	r += strstr(cmd, "`")!=0;
	Invoke-WebRequest:
	Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.1066

	System.Net.WebClient.DownloadFile():
	None

	Start-BitsTransfer:
	Microsoft BITS/7.8

	certutil.exe: