I hereby claim:
- I am ion-storm on github.
- I am ionstorm_ (https://keybase.io/ionstorm_) on keybase.
- I have a public key ASDcmNr5gWQB17z9e3J6fs2d-EuPTVa_33DwKKjKva6KWAo
To claim this, I am signing this object:
@echo off | |
:: Sophos Removal Tool | |
setlocal | |
cd /d %~dp0 | |
start /wait net stop "Sophos AutoUpdate Service" | |
start /wait sc stop "Sophos Agent" | |
start /wait sc stop "SAVService" | |
start /wait sc stop "SAVAdminService" | |
start /wait sc stop "Sophos AutoUpdate Service" | |
start /wait sc stop "Sophos Client Firewall" |
I hereby claim:
To claim this, I am signing this object:
$path_ = "C:\" | |
$list = @(Get-ChildItem -Path $path_ -Name "SolarWinds.Orion.Core.BusinessLayer.dll" -Recurse) | |
$list | % { | |
$fullPath = $path_ + $_ | |
Get-FileHash $fullPath -Algorithm SHA256 | Format-List | |
} |
input { | |
kafka { | |
bootstrap_servers => "" #configurable | |
group_id => "" #configurable | |
auto_offset_reset => "" #configurable | |
security_protocol => "SASL_SSL" | |
sasl_mechanism => "SCRAM-SHA-512" | |
sasl_jaas_config => "org.apache.kafka.common.security.scram.ScramLoginModule required username='' password='';" | |
ssl_endpoint_identification_algorithm => "" | |
topics => [""] #configurable |
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
MITRE ATT4CK - T1132 - Data Encoding
Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16) |
TVq |
📺 Television | MZ |
MZ header |
UEs |
🏬 Upper East Side | PK |
ZIP, Office documents |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
$ScrObjBlockRule = New-CIPolicyRule -DriverFilePath $Env:windir\System32\scrobj.dll -Level FileName -Deny -AppID $Env:windir\System32\regsvr32.exe | |
# Merge the block rule into the allow all template rule included in the OS | |
Merge-CIPolicy -OutputFilePath CustomASRPolicy.xml -PolicyPaths $Env:windir\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -Rules $ScrObjBlockRule | |
# This must be run elevated. Convert the policy to binary form and copy it to where WDAC will consume it. | |
ConvertFrom-CIPolicy -XmlFilePath .\CustomASRPolicy.xml -BinaryFilePath $Env:windir\System32\CodeIntegrity\SIPolicy.p7b | |
# Now reboot and the policy will take effect. |
import time | |
import etw | |
import etw.evntrace | |
import sys | |
import argparse | |
import threading | |
class RundownDotNetETW(etw.ETW): | |
def __init__(self, verbose, high_risk_only): |
@ECHO OFF | |
ECHO ==================================================================== | |
ECHO Sophos Removal v2.0 - Ed Cooper/Kyle Weller | |
ECHO Removes Sophos v7 - v10 | |
ECHO ==================================================================== | |
ECHO. | |
ECHO. | |
IF NOT EXIST "%~dp0\msizap.exe" GOTO MSIZAPNOTFOUND | |
ECHO Administrative permissions required. Detecting permissions... | |
ECHO. |