I hereby claim:
- I am phantinuss on github.
- I am phantinuss (https://keybase.io/phantinuss) on keybase.
- I have a public key ASDSqvzkEta_KwMLuw3mCc_BYBg5ubLrwTxHTDdA0zSUwQo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { $_.TimeCreated -ge (Get-Date) - (New-TimeSpan -Day 1) } | where Id -EQ 1 | where Message -match "rundll32" | Format-List -Property Message | Out-String -Stream | Select-String -Pattern " CommandLine:" |
$Config1URL = "https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml" | |
$Config1 = "sysmonconfig-export.xml" | |
$Config2URL = "https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/configs/sysmon/sysmon.xml" | |
$Config2 = "sysmonconfig-all.xml" | |
# OS Arch for Exe | |
$OsArch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture | |
$SysmonExe = "Sysmon64.exe" | |
if ($OsArch -match "32-Bit"){ $SysmonExe = "Sysmon.exe" } else {$SysmonExe = "Sysmon64.exe"} |
- U6aMy0wojraho (ref: https://yougottahackthat.com/blog/339/what-is-aad3b435b51404eeaad3b435b51404ee) | |
- $1$ADUODeAy$eCJ1lPSxhSGmSvrmWxjLC1 (ref: https://leo.leung.xyz/wiki/Create_a_Linux_User_with_an_Empty_Password) | |
- $6$My.Salt3$s4o9CBY5VxinLAjgkTqCChti8intR7n.1rLg.ZsMOlXTdbcTtoJo/GVE7cqm5S4GSP4HOYncqcRBc81BIMInc/ (ref: https://eklausmeier.goip.de/blog/2014/07-07-creating-user-account-with-empty-password-on-linux/) |
It's ugly, but only intended to run it once. For reproducibility: | |
1. fetch data from https://gist.githubusercontent.com/MHaggis/6c600e524045a6d49c35291a21e10752/raw/9dd392bd5805386f021792264f93c42df44ddfb0/malleable_c2_profiles | |
# while read -r line; do curl $line|grep "spawnto"; done < in.cobaltstrike-profiles > out.cobaltstrike-profile-targets | |
2. clean the data, make stats | |
# cat out.cobaltstrike-profile-targets | awk '{$1=$1;print}' |grep -v "^#" | grep "set spawnto_" | grep -v "^job" |grep -Po "set spawnto_x.. \"(.*)\";" | cut -d\" -f2 | grep -Po "\\\([^\\\]*.exe)" | sort | uniq -c |sort -nr |