Mike Devens co-devs

## Suspicious ASNs.kql
union SigninLogs, AADNonInteractiveUserSignInLogs
| where AutonomousSystemNumber in (33438, 25369, 62240, 9009, 60068, 40676, 8100)
| summarize
    min(TimeGenerated),
    max(TimeGenerated),
    ResultTypes = make_set(ResultType),
    IPAddresses = make_set(IPAddress),
    ASNs = make_set(AutonomousSystemNumber),
    AppDisplayNames = make_set(AppDisplayName),
    ClientAppUsed = make_set_if(ClientAppUsed, isnotempty(ClientAppUsed)),

## Get-RdpLogonEvent.ps1
function Get-RdpLogonEvent
{
    [CmdletBinding()]
    param(
        [Int32] $Last = 10
    )

    $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ProviderName='Microsoft-Windows-Security-Auditing'

## internetdb.ipynb

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              5 stars
            
          
                jgamblin
                / internetdb.ipynb
            
            
              Created
              March 14, 2022 19:07
            
              
                CIDR lookup tool for the InternetDB API
              
          
      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## Pull_logs_and_zip.ps1
#Ensure errors don't ruin anything for us
$ErrorActionPreference = "SilentlyContinue"


# Set variables
$DesktopPath = [Environment]::GetFolderPath("Desktop")

$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"

$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx"

## jndi-response.md

      
              1 file
            
          
              4 forks
            
          
              5 comments
            
          
              42 stars
            
          
                shipilev
                / jndi-response.md
            
            
              Last active
              February 6, 2022 17:12
            
          
Generate the file:

$ awk 'BEGIN { for(c=0;c<10000000;c++) printf "<p>LOL</p>" }' > 100M.html
$ (for I in `seq 1 100`; do cat 100M.html; done) | pv | gzip -9 > 10G.boomgz


Check it is indeed good:


## RansomwareExtensions.txt
You can create a GPO to test changing the default behavior of the following extensions to not behave as a script
but rather as a benign text file opened in notepad.

js
wsh
vbs
wsc
sct
jse
wsf

## EventDiff.ps1
# Log the time prior to executing the action.
# This will be used as parth of an event log XPath filter.
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)

# Do the thing now that you want to see potential relevant events surface...
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly

# Allow a moment to allow events to populate
Start-Sleep -Seconds 5

## stpgetargtype_dump.json
[
    [
        "NtLockProductActivationKeys",
        [
            "UInt32 *",
            "UInt32 *"
        ]
    ],
    [
        "NtLockProductActivationKeys",

## Cobalt Strike servers April 2021
178.62.115.135
167.99.197.196
138.68.131.250
195.206.181.141
193.29.13.201
5.61.61.49
139.59.172.170
46.101.63.124
206.189.121.65
46.101.47.102

## gist:23c495e22eb391d89054c74e8b069236
Date,Details,Email Payload Type,Users Targeted
12/1/2020,Balance Payment; pdf -> agenttesla,Attachment,2
12/1/2020,All subjects contain DocuSign floydnicholsonsc.com sender; link -> hancitor  -> ficker,Link,8257
12/2/2020,All subjects contain DocuSign frankstaropoli.com sender; link -> hancitor  -> ficker,Link,4810
12/2/2020,Subjects Invoice <digits>; xlsm|xls -> dridex,Attachment,117
12/2/2020,Re:Re: New Purchase Order-030220- SMART SOURCING INC; link -> agenttesla,Link,5
12/2/2020,Re: Re: Proforma PI-08598; gz -> remcos,Attachment,3
12/3/2020,All subjects contain DocuSign freitasforcongress.com sender; link -> hancitor  -> ficker,Link,6047
12/3/2020,BALANCE PAYMENT; z -> agenttesla,Attachment,4
12/3/2020,RE: Payment Advice; z -> agenttesla,Attachment,4
	union SigninLogs, AADNonInteractiveUserSignInLogs
	\| where AutonomousSystemNumber in (33438, 25369, 62240, 9009, 60068, 40676, 8100)
	\| summarize
	min(TimeGenerated),
	max(TimeGenerated),
	ResultTypes = make_set(ResultType),
	IPAddresses = make_set(IPAddress),
	ASNs = make_set(AutonomousSystemNumber),
	AppDisplayNames = make_set(AppDisplayName),
	ClientAppUsed = make_set_if(ClientAppUsed, isnotempty(ClientAppUsed)),
	function Get-RdpLogonEvent
	{
	[CmdletBinding()]
	param(
	[Int32] $Last = 10
	)

	$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
	LogName='Security'
	ProviderName='Microsoft-Windows-Security-Auditing'
	#Ensure errors don't ruin anything for us
	$ErrorActionPreference = "SilentlyContinue"


	# Set variables
	$DesktopPath = [Environment]::GetFolderPath("Desktop")

	$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx"

	$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx"
	You can create a GPO to test changing the default behavior of the following extensions to not behave as a script
	but rather as a benign text file opened in notepad.

	js
	wsh
	vbs
	wsc
	sct
	jse
	wsf
	# Log the time prior to executing the action.
	# This will be used as parth of an event log XPath filter.
	$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)

	# Do the thing now that you want to see potential relevant events surface...
	$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly

	# Allow a moment to allow events to populate
	Start-Sleep -Seconds 5
	[
	[
	"NtLockProductActivationKeys",
	[
	"UInt32 *",
	"UInt32 *"
	]
	],
	[
	"NtLockProductActivationKeys",
	178.62.115.135
	167.99.197.196
	138.68.131.250
	195.206.181.141
	193.29.13.201
	5.61.61.49
	139.59.172.170
	46.101.63.124
	206.189.121.65
	46.101.47.102
	Date,Details,Email Payload Type,Users Targeted
	12/1/2020,Balance Payment; pdf -> agenttesla,Attachment,2
	12/1/2020,All subjects contain DocuSign floydnicholsonsc.com sender; link -> hancitor -> ficker,Link,8257
	12/2/2020,All subjects contain DocuSign frankstaropoli.com sender; link -> hancitor -> ficker,Link,4810
	12/2/2020,Subjects Invoice <digits>; xlsm\|xls -> dridex,Attachment,117
	12/2/2020,Re:Re: New Purchase Order-030220- SMART SOURCING INC; link -> agenttesla,Link,5
	12/2/2020,Re: Re: Proforma PI-08598; gz -> remcos,Attachment,3
	12/3/2020,All subjects contain DocuSign freitasforcongress.com sender; link -> hancitor -> ficker,Link,6047
	12/3/2020,BALANCE PAYMENT; z -> agenttesla,Attachment,4
	12/3/2020,RE: Payment Advice; z -> agenttesla,Attachment,4