Michael shiftybitshiftr

## michael.sh
#!/bin/bash

echo "hello i'm michael"

## Connectwise RMM Signatures.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                shiftybitshiftr
                / Connectwise RMM Signatures.md
            
            
              Last active
              April 14, 2023 23:44
            
          
executable
code_signature.subject_name
code_signature.serial_number


C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe
Connectwise, LLC
0b9360051bccf66642998998d5ba97ce


C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Client.exe
Connectwise, LLC
0b9360051bccf66642998998d5ba97ce


C:\Windows\LTSvc\LTSVC.exe
Connectwise, LLC


C:\Users\*\Downloads\ConnectWiseControl.Client.exe
Connectwise, LLC


Notes:

Connectwise Automate / Labtech is a paid tool, whereas Connectwise Control / Screenconnect has a free version.


## solarwinds_sunburst_threathunting_queries.txt
--(Known) hashes of backdoored SolarWinds.Orion.Core.BusinessLayer.dll; Ref: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
Sha256 in ( "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b, eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed, c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77, ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc, d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af" )

--Known SUNBURST domains created by Subdomain Generation Algorithm; Ref: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
URL In Contains AnyC

## Exchange-IIS-Log-Checker.ps1
# Check this folder for asp files C:\inetpub\wwwroot\aspnet_client\system_web
# Using SHA256 for file hash checking

# Enable following line to see the progress step through this scripts. Not required for automation.
# $VerbosePreference = "Continue"

# "-RunAsAdministrator" Required - admin privileges needed to read log paths

$KnownBadSHA256 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0","097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e","2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1","65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5","511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1","4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea","811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d","1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944"
write-verbose "Checking C:\inetpub\wwwroot\aspnet_client for extra files"

## IIS-Log-HAFNIUM-IP-Checkers.ps1
$KnownBadIPs = "103.77.192.219", "104.140.114.110", "104.250.191.110", "108.61.246.56", "149.28.14.163", "157.230.221.198", "167.99.168.251", "185.250.151.72", "192.81.208.169", "203.160.69.66", "211.56.98.146", "5.254.43.18", "80.92.205.81", "165.232.154.116", "89.34.111.11", "86.105.18.116", "112.68.212.214", "124.46.192.149", "37.147.230.142", "61.78.141.128", "212.69.1.194", "88.157.2.183", "121.153.83.248", "60.246.26.200", "210.223.169.77", "183.173.113.166", "23.240.201.239", "118.218.186.184", "77.122.10.183", "46.101.232.43", "45.157.53.13", "110.39.192.162"

$files = Get-ChildItem -Recurse "C:\inetpub\logs\LogFiles\*.log"

foreach($file in $files)
{
    Write-Host "Reading files"
    Write-Host $file.Name
    $ReadFile = Get-Content -Path $file
    foreach($BadIP in $KnownBadIPs) {
executable	code_signature.subject_name	code_signature.serial_number
C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe	Connectwise, LLC	0b9360051bccf66642998998d5ba97ce
C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Client.exe	Connectwise, LLC	0b9360051bccf66642998998d5ba97ce
C:\Windows\LTSvc\LTSVC.exe	Connectwise, LLC
C:\Users\*\Downloads\ConnectWiseControl.Client.exe	Connectwise, LLC
	--(Known) hashes of backdoored SolarWinds.Orion.Core.BusinessLayer.dll; Ref: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
	Sha256 in ( "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b, eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed, c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77, ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc, d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af" )

	--Known SUNBURST domains created by Subdomain Generation Algorithm; Ref: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
	URL In Contains AnyC
	# Check this folder for asp files C:\inetpub\wwwroot\aspnet_client\system_web
	# Using SHA256 for file hash checking

	# Enable following line to see the progress step through this scripts. Not required for automation.
	# $VerbosePreference = "Continue"

	# "-RunAsAdministrator" Required - admin privileges needed to read log paths

	$KnownBadSHA256 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0","097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e","2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1","65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5","511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1","4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea","811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d","1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944"
	write-verbose "Checking C:\inetpub\wwwroot\aspnet_client for extra files"
	$KnownBadIPs = "103.77.192.219", "104.140.114.110", "104.250.191.110", "108.61.246.56", "149.28.14.163", "157.230.221.198", "167.99.168.251", "185.250.151.72", "192.81.208.169", "203.160.69.66", "211.56.98.146", "5.254.43.18", "80.92.205.81", "165.232.154.116", "89.34.111.11", "86.105.18.116", "112.68.212.214", "124.46.192.149", "37.147.230.142", "61.78.141.128", "212.69.1.194", "88.157.2.183", "121.153.83.248", "60.246.26.200", "210.223.169.77", "183.173.113.166", "23.240.201.239", "118.218.186.184", "77.122.10.183", "46.101.232.43", "45.157.53.13", "110.39.192.162"

	$files = Get-ChildItem -Recurse "C:\inetpub\logs\LogFiles\*.log"

	foreach($file in $files)
	{
	Write-Host "Reading files"
	Write-Host $file.Name
	$ReadFile = Get-Content -Path $file
	foreach($BadIP in $KnownBadIPs) {