Eric Capuano ecapuano

## share_unshare_libraries.py
# inspired by https://gist.github.com/JonnyWong16/f8139216e2748cb367558070c1448636
# adapted by eric capuano, @eric_capuano@infosec.exchange
# modified to support python3, and supports updating ALL users instead of specifying userIDs manually.
#
# first, add your PLEX_TOKEN and SERVER_ID
# second, add the libraries you want to share/unshare to SHARED_LIBRARY_IDS
# usage: python3 share_unshare_libraries.py share/unshare

import requests
from xml.dom import minidom

## sliver_broad.yara
rule sliver_strings {
  meta:
    author = "Eric Capuano, inspired by NCSC UK"
    description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)"
  strings:
    $p1 = "/sliver/"
    $p2 = "sliverpb"
  condition:
    all of ($p*)
}

## sliver.yara
rule sliver_github_file_paths_function_names {
  meta:
    author = "NCSC UK"
    description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary"
  strings:
    $p1 = "/sliver/"
    $p2 = "sliverpb."
    $fn1 = "RevToSelfReq"
    $fn2 = "ScreenshotReq"
    $fn3 = "IfconfigReq"

## Windows.Destroy.System.yaml
name: Windows.Destroy.System
description: |
  **WARNING! THIS IS HIGHLY DESTRUCTIVE!**

  Deletes ALL of the things. UNRECOVERABLE!

  First deletes sensitive areas (user profiles, event logs) then moves
  to wiping and zeroizing the entire C: drive.

  The system will ultimately fail before the process finishes, but the

## winlogbeats.yml
# A retired winlogbeats config maintained by the Recon InfoSec SOC
# contains most the higher value events needed for detection and response
# should be tuned for your specific environment and log volume tolerance

winlogbeat.event_logs: # Global Event Logs Config
  - name: Security
    ignore_older: 24h
    processors:
      - script:
          when.equals.winlog.channel: Security

## secrets.yara
/*
  Yara signatures for identifying secrets in text files. Requires libmagic!

  Mostly all stolen from Trufflehog regexes:
  - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json

*/

import "magic"

## gist:fc0cde0e9293bff8b01783cf8666d214
// Run against hunt results from Windows.System.Pslist
// Note: Returns ONLY unsigned processes, which minimizes less critical API calls
// Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert

LET VTKey <= "$apikey"
LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
LIMIT 50

SELECT *, {SELECT * FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)

## wmi_event_consumer_stacking.txt
// run against results from Windows.Persistence.PermanentWMIEvents
// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml

SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
// filter common FPs
WHERE ConsumerName != "BVTConsumer"
AND ConsumerName != "SCM Event Log Consumer"
AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
AND ConsumerName != "CmdLineConsumer_WSCEAA"

## gist:13386852fb80beac4561f2bed569095e
# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
#
# https://twitter.com/eric_capuano

# Quick check for likely successful attacks
## Bash (faster)
egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
## PowerShell
Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log

## Eradication.ps1
# A script that will safely remove adversary footholds on systems.
#
# Be sure to replace your observables down below. Be careful not to
# included LOLBINs as they cannot be safely killed this way. Use
# Kill-Threads.ps1 for those.
#
# Used with great success during CF20
#
# Author: Eric Capuano
	# inspired by https://gist.github.com/JonnyWong16/f8139216e2748cb367558070c1448636
	# adapted by eric capuano, @eric_capuano@infosec.exchange
	# modified to support python3, and supports updating ALL users instead of specifying userIDs manually.
	#
	# first, add your PLEX_TOKEN and SERVER_ID
	# second, add the libraries you want to share/unshare to SHARED_LIBRARY_IDS
	# usage: python3 share_unshare_libraries.py share/unshare

	import requests
	from xml.dom import minidom
	rule sliver_strings {
	meta:
	author = "Eric Capuano, inspired by NCSC UK"
	description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)"
	strings:
	$p1 = "/sliver/"
	$p2 = "sliverpb"
	condition:
	all of ($p*)
	}
	rule sliver_github_file_paths_function_names {
	meta:
	author = "NCSC UK"
	description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary"
	strings:
	$p1 = "/sliver/"
	$p2 = "sliverpb."
	$fn1 = "RevToSelfReq"
	$fn2 = "ScreenshotReq"
	$fn3 = "IfconfigReq"
	name: Windows.Destroy.System
	description: \|
	WARNING! THIS IS HIGHLY DESTRUCTIVE!

	Deletes ALL of the things. UNRECOVERABLE!

	First deletes sensitive areas (user profiles, event logs) then moves
	to wiping and zeroizing the entire C: drive.

	The system will ultimately fail before the process finishes, but the
	# A retired winlogbeats config maintained by the Recon InfoSec SOC
	# contains most the higher value events needed for detection and response
	# should be tuned for your specific environment and log volume tolerance

	winlogbeat.event_logs: # Global Event Logs Config
	- name: Security
	ignore_older: 24h
	processors:
	- script:
	when.equals.winlog.channel: Security
	/*
	Yara signatures for identifying secrets in text files. Requires libmagic!

	Mostly all stolen from Trufflehog regexes:
	- https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json

	*/

	import "magic"
	// Run against hunt results from Windows.System.Pslist
	// Note: Returns ONLY unsigned processes, which minimizes less critical API calls
	// Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert

	LET VTKey <= "$apikey"
	LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
	WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
	LIMIT 50

	SELECT , {SELECT FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)
	// run against results from Windows.Persistence.PermanentWMIEvents
	// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml

	SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
	// filter common FPs
	WHERE ConsumerName != "BVTConsumer"
	AND ConsumerName != "SCM Event Log Consumer"
	AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
	AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
	AND ConsumerName != "CmdLineConsumer_WSCEAA"
	# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
	# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
	#
	# https://twitter.com/eric_capuano

	# Quick check for likely successful attacks
	## Bash (faster)
	egrep -i '((POST.\/aspnet_client\/)\|(system_web\/[A-Za-z0-9]{8}\.aspx\|\/ecp\/y\.js)).2[0-9]{2}\s[0-9]+' *.log
	## PowerShell
	Select-String -Pattern '((POST.\/aspnet_client\/)\|(system_web\/[A-Za-z0-9]{8}\.aspx\|\/ecp\/y\.js)).2[0-9]{2}\s[0-9]+' *.log
	# A script that will safely remove adversary footholds on systems.
	#
	# Be sure to replace your observables down below. Be careful not to
	# included LOLBINs as they cannot be safely killed this way. Use
	# Kill-Threads.ps1 for those.
	#
	# Used with great success during CF20
	#
	# Author: Eric Capuano