| ``` | |
| Author: @0x1FFFFF | |
| Date: 1 September, 2021 | |
| Goal: Enumerate the human readable permission listed in Sysmon EID 10s. | |
| Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table. | |
| ``` | |
| $Your_Sysmon_Logic_Here$ EventCode=10 | |
| | stats count by GrantedAccess |
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
The following instructions are heavily inspired by /u/uhohohdear. I modified uhohohdear's instructions and then added support for Retina/HiDPI displays and instructions about how to update MTGA.
IMPORTANT UPDATE: This will no longer work if you upgrade to macOS Catalina, as Wine and Wineskin are 32-bit. I'll update this Gist with 64-bit versions when they become available.
We're back in business!
It appears that the workarounds no longer work. A few people with Macs using Nvidia graphics cards are having success, but Macs with Intel and AMD GPUs crash regularly. At this time, the best way to play Arena on Mac is via Boot Camp or GeForce Now.
Signal Server Installation Guide
Author: Aqnouch Mohammed aqnouch.mohammed@gmail.com
| alias wget='wget -q --no-check-certificate' | |
| # so that we can install virtualbox via apt-get | |
| for x in xenial xenial-security xenial-updates; do | |
| egrep -qe "deb-src.* $x " /etc/apt/sources.list || echo "deb-src http://archive.ubuntu.com/ubuntu ${x} main universe" | tee -a /etc/apt/sources.list | |
| done | |
| echo "deb http://download.virtualbox.org/virtualbox/debian xenial contrib" | tee -a /etc/apt/sources.list.d/virtualbox.list | |
| wget https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | apt-key add - | |
| apt-get update |
Use a Raspberry Pi as a bridge into my home LAN. The pi is plugged into a switch, which is plugged into an airport express, which is plugged into a cable modem; Nothing fancy.
This isn't a tutorial. Just some example output from a working setup.
off the top of my head, here's the order I would do it in:
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
