cutaway

########################
# Get-ServicesExePerms.ps1: Test the permissions for the service executables and directories.
# Author: Don C. Weber (cutaway)
# Date:   20240723
#
########################

$sf = (Get-CimInstance -ClassName Win32_Service).PathName | ForEach-Object { ( ( ( $_ -Split '.exe' )[0] -replace '^"') + '.exe' ).tolower() } | Sort-Object | Get-Unique | ForEach-Object { if ( Test-Path -Path "$_" -PathType Leaf ) { $_ } }

#$rights = @("FullControl","Modify","Write","Read","ReadAndExecute","Synchronize")

cutaway

######################
# Sim-PSEncFiles.ps1: Simulate file encrption using PSRemoting
# Purpose:  This PS script will encrypt all of the files in a target
#           folder to a selected location. The purpose of this script
#           is to perform actions similar to the actions performed by
#           ransomware. These actions will touch a large number of files,
#           create new files with different extension, and encrypt the
#           file to a new location. The original file is not modified
#
# Author: Don C. Weber (cutaway)

cutaway

from mitmproxy import http
import paramiko

# Original Example: https://stackoverflow.com/questions/27369144/use-mitmproxy-to-translate-a-form-key-value-to-a-body-post

DEBUG = False
#DEBUG = True

class GetRTUCreds:
    localhost = '127.0.0.1'

cutaway

PCAPs Resources

• Download PCAPs
	○ Free PCAPS: https://www.netresec.com/?page=PcapFiles
	○ SecRepo: https://www.secrepo.com/
• ICS Port Numbers
	○ IPv4 Multicast Addresses
		§ https://www.iana.org/assignments/multicast-addresses/multicast-addresses.txt

○ Old Digital Bond: https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md

cutaway

Disable Windows Defender
NOTE: These settings may be permeant.

	• Get-MpComputerStatus
	• Set-MpPreference -DisableRealtimeMonitoring $true
	• Set-MpPreference -DisableBehaviorMonitoring $true
	• Set-MpPreference -DisableIntrusionPreventionSystem $true
	• Set-MpPreference -DisableIOAVProtection $true
	• Set-MpPreference -DisableScriptScanning $true
	• Get-MpComputerStatus

cutaway

###########################
# Bash ~/.bashrc
###########################

function CONPS() {
    n=$1
    export PS1='\n$n \D{%F %T}\n> '
}

alias consult00='CONPS Consult00; cd ~/Documents/consult00'

cutaway

#!/bin/bash
ipt4='/sbin/iptables'
ipt6='/sbin/ip6tables'

for i in $ipt4 $ipt6; do
    # Flush Rules
    echo 'Flushing IPTables: ' $i
    $i -F
    $i -X

cutaway

# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

cutaway

Last Update: 20201015

Useful Articles

Added AWS credentials to AWS config and credentials files using profiles:

• https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_profiles.html
• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html  

Installed AWS Client

• Actually determined that it is easier to run these tools from a Linux VM by downloading from Github and installing requirements following their installation Instructions.

cutaway

# Vendor Documentation

* User manauals and administrative documents for all equiment

# Python Tools

* CPPPO - CIP module
* pyModbus - modbus module
* OPCUA - opc-ua module