curi0usJack

Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE 
strComputer = "." 
strKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" 
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objReg = objLocator.ConnectServer(strComputer, "root\cimv2").Get("StdRegProv")

objReg.EnumKey HKLM, strKey, arrSubKeys
objReg.GetDWORDValue HKLM, strkey, "ProcessCreationIncludeCmdLine_Enabled", isenabled

If IsNull(isenabled) Then

curi0usJack

$exepath = "c:\windows"
$searchstrings = @("/url", "/uri", "/wildcard", "/format", "/path")
$skip = @("logoff.exe", "mcrmgr.exe", "audit.exe") 
$foundin = @()
$testedbins = @()

Function Execute-Command ($commandPath, $commandArguments)
{
    $pinfo = New-Object System.Diagnostics.ProcessStartInfo
    $pinfo.FileName = $commandPath

curi0usJack

# This is not my work. All credit goes to https://github.com/Neo23x0/sigma. I just used the tool to convert to graylog format,
# skipped over the errors, and added some carriage returns for ease of reading. If you see a blank rule, it means there was a conversion error.


rules/application/appframework_django_exceptions.yml

("SuspiciousOperation" OR "DisallowedHost" OR "DisallowedModelAdminLookup" OR "DisallowedModelAdminToField" OR "DisallowedRedirect" OR "InvalidSessionKey" OR "RequestDataTooBig" OR "SuspiciousFileOperation" OR "SuspiciousMultipartForm" OR "SuspiciousSession" OR "TooManyFieldsSent" OR "PermissionDenied")

curi0usJack

 {
   "template": "graylog_*",
   "mappings" : {
     "message" : {
       "properties" : {
         "CommandLine" : {
           "type" : "string",
           "index" : "analyzed"
         },
         "ScriptBlockText" : {

curi0usJack

<?XML version="1.0"?>
<scriptlet>

	<registration 
	    progid="COMHijackTesting" 
	    remoteable="true" 
	    version="1.00" 
	    classid="{00000001-0001-0001-0001-0000DEADBEEF}" >
	</registration>
	

curi0usJack

<?XML version="1.0"?>
<scriptlet>

<registration
    classid="{00000001-0001-0001-0001-0000DEADBEEF}"
    remotable="true"
	>
</registration>

<script language="JScript">

curi0usJack

# Carbon Black Evil PowerShell LSASS Query
#
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
#
# Author: Jason Lang (@curi0usJack)
#
# Prereqs (Windows 10)
#	Install bash on Win10
#	sudo apt-get install python-pip
#	sudo pip install --upgrade requests

curi0usJack

alias vim='sudo vim'
alias nano='sudo nano'
alias vi='sudo vi'
alias aplog='sudo tail -f /var/log/apache2/CHANGEME.log'
alias apedit='sudo nano /etc/apache2/sites-available/CHANGEME.conf'
alias apstart='sudo service apache2 start'
alias apstop='sudo service apache2 stop'
alias apload='sudo service apache2 reload'

curi0usJack

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="NotSubTee">
   <BusinessTime />
  </Target>
<UsingTask
    TaskName="BusinessTime"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <ParameterGroup/>
    <Task>

curi0usJack

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted