Mike Devens co-devs

## unc1878_indicators.txt
# C2 FQDNs
first seen fqdn
2019-12-11 23:37:10	updatemanagir.us
2019-12-20 17:51:05	cmdupdatewin.com
2019-12-26 18:03:27	scrservallinst.info
2020-01-10 00:33:57	winsystemupdate.com
2020-01-11 23:16:41	jomamba.best
2020-01-13 05:13:43	updatewinlsass.com
2020-01-16 11:38:53	winsysteminfo.com
2020-01-20 05:58:17	livecheckpointsrs.com

## snippet_gen_yara_hash.py
import hashlib
import re

def calculate_rule_hash(rule):
    """
    Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
    Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
    :param rule: yara rule object
    :return hash: generated hash
    """

## ipinfo_resolv.sh
#!/bin/bash
sed 's/$/\/hostname/' | parallel --jobs=12 --pipe -N1000 \
"curl -s -XPOST -H 'Content-Type: text/plain' --data-binary @- 'ipinfo.io/batch?token=$TOKEN&filter=1'" | \
grep '"' | sed 's|/hostname||' | cut -d'"' -f2,4 | tr '"' '\t'

## Microsoft.PowerShell_profile.ps1
function Prompt
{
  $FullUnicode = 'U+1F525'
  $StrippedUnicode = $FullUnicode -replace 'U\+',''
  $UnicodeInt = [System.Convert]::toInt32($StrippedUnicode,16)
  $promptEmoji = [System.Char]::ConvertFromUtf32($UnicodeInt)

  (Write-Host -NoNewline (Get-Date -Format "[HH:mm:ss]$promptEmoji"))

  (Write-Host -NoNewline $env:USERNAME -ForegroundColor Red)

## emotet_powExtract.py
#!/usr/bin/env python3
import re
import sys
import subprocess
import glob
import base64
import yaml


def dumpYaml(data):

## go-sharp-loader.go
package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder

## 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}]

## get-shodan-favicon-hash.py
# https://twitter.com/brsn76945860/status/1171233054951501824
pip install mmh3

-----------------------------
# python 2
import mmh3
import requests

response = requests.get('https://cybersecurity.wtf/favicon.ico')
favicon = response.content.encode('base64')

## XOREngine_HTTP.yar
rule XOREngine_HTTP
{
    meta:
        author = "smiller"
        description = "This looks for brute XOR of http:// in a PE."
        ref = "578cb44b784125ebd58ecb458d51b23d"
    strings:
        $key_01 = { 69 75 75 71 3b 2e 2e }
        $key_02 = { 6a 76 76 72 38 2d 2d }
        $key_03 = { 6b 77 77 73 39 2c 2c }

## forensics-cheatsheet.md

      
              1 file
            
          
              3 forks
            
          
              0 comments
            
          
              6 stars
            
          
                mihalyr
                / forensics-cheatsheet.md
            
            
              Created
              January 29, 2020 14:15
            
              
                Linux Compromise Assessment Command Cheat Sheet
              
          
    Linux Compromise Assessment Command Cheat Sheet

Source: https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
Processes

Large amounts of RAM:
top
	# C2 FQDNs
	first seen fqdn
	2019-12-11 23:37:10 updatemanagir.us
	2019-12-20 17:51:05 cmdupdatewin.com
	2019-12-26 18:03:27 scrservallinst.info
	2020-01-10 00:33:57 winsystemupdate.com
	2020-01-11 23:16:41 jomamba.best
	2020-01-13 05:13:43 updatewinlsass.com
	2020-01-16 11:38:53 winsysteminfo.com
	2020-01-20 05:58:17 livecheckpointsrs.com
	import hashlib
	import re

	def calculate_rule_hash(rule):
	"""
	Calculates a hash over the relevant YARA rule content (string contents, sorted condition)
	Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara
	:param rule: yara rule object
	:return hash: generated hash
	"""
	#!/bin/bash
	sed 's/$/\/hostname/' \| parallel --jobs=12 --pipe -N1000 \
	"curl -s -XPOST -H 'Content-Type: text/plain' --data-binary @- 'ipinfo.io/batch?token=$TOKEN&filter=1'" \| \
	grep '"' \| sed 's\|/hostname\|\|' \| cut -d'"' -f2,4 \| tr '"' '\t'
	function Prompt
	{
	$FullUnicode = 'U+1F525'
	$StrippedUnicode = $FullUnicode -replace 'U\+',''
	$UnicodeInt = [System.Convert]::toInt32($StrippedUnicode,16)
	$promptEmoji = [System.Char]::ConvertFromUtf32($UnicodeInt)

	(Write-Host -NoNewline (Get-Date -Format "[HH:mm:ss]$promptEmoji"))

	(Write-Host -NoNewline $env:USERNAME -ForegroundColor Red)
	#!/usr/bin/env python3
	import re
	import sys
	import subprocess
	import glob
	import base64
	import yaml


	def dumpYaml(data):
	package main

	/*
	Example Go program with multiple .NET Binaries embedded

	This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

	Place all your EXEs are in a "binaries" folder
	# https://twitter.com/brsn76945860/status/1171233054951501824
	pip install mmh3

	-----------------------------
	# python 2
	import mmh3
	import requests

	response = requests.get('https://cybersecurity.wtf/favicon.ico')
	favicon = response.content.encode('base64')
	rule XOREngine_HTTP
	{
	meta:
	author = "smiller"
	description = "This looks for brute XOR of http:// in a PE."
	ref = "578cb44b784125ebd58ecb458d51b23d"
	strings:
	$key_01 = { 69 75 75 71 3b 2e 2e }
	$key_02 = { 6a 76 76 72 38 2d 2d }
	$key_03 = { 6b 77 77 73 39 2c 2c }