Goals: Add links that are reasonable and good explanations of how stuff works. No hype and no vendor content if possible. Practical first-hand accounts of models in prod eagerly sought.
![Screenshot 2023-12-18 at 10 40 27 PM](https://private-user-images.githubusercontent.com/3837836/291468646-4c30ad72-76ee-4939-a5fb-16b570d38cf2.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3NDE2NDgsIm5iZiI6MTcyMTc0MTM0OCwicGF0aCI6Ii8zODM3ODM2LzI5MTQ2ODY0Ni00YzMwYWQ3Mi03NmVlLTQ5MzktYTVmYi0xNmI1NzBkMzhjZjIucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MjNUMTMyOTA4WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MzcwY2JiYTQ3NmZiNDljZTNkM2VmODQ4YTk1MzZiMDI2MWFkOGIwN2RmZTdiODY4YTlhOTczYzM5ZDdiZTRlMyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.Mnd0fOFMDw8U43pFGx9Rimw6XOOUoobvOmIvIqwi674)
# Copyright 2022 Malwarology LLC | |
# | |
# Use of this source code is governed by an MIT-style | |
# license that can be found in the LICENSE file or at | |
# https://opensource.org/licenses/MIT. | |
"""Unit test module for linting the project modules and the unit test modules.""" | |
import contextlib | |
import io | |
import pathlib | |
import unittest |
ID | Name | MitigatedByAppControl | Notes | |
---|---|---|---|---|
T1001 | Data Obfuscation | Not Applicable | Relevant sub-techniques addressed below | |
T1001.001 | Junk Data | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
T1001.002 | Steganography | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
T1001.003 | Protocol Impersonation | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
T1003 | OS Credential Dumping | Not Applicable | Relevant sub-techniques addressed below | |
T1003.001 | LSASS Memory | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
T1003.002 | Security Account Manager | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
T1003.003 | NTDS | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
T1003.004 | LSA Secrets | Limited | Built-in utilities exist to perform this technique. |
$ISOFile = "C:\Users\DELL\Downloads\17763.737.190906-2324.rs5_release_svc_refresh_SERVERHYPERCORE_OEM_x64FRE_en-us_1.iso" | |
$USBDrive = Get-Disk | Where FriendlyName -eq " USB Flash Memory" | |
$USBDrive | Clear-Disk -RemoveData -Confirm:$true -PassThru | |
$USBDrive | Set-Disk -PartitionStyle GPT | |
$Volume = $USBDrive | New-Partition -UseMaximumSize -AssignDriveLetter | Format-Volume -FileSystem FAT32 -NewFileSystemLabel WS2019 | |
$ISOMounted = Mount-DiskImage -ImagePath $ISOFile -StorageType ISO -PassThru | |
$ISODriveLetter = ($ISOMounted | Get-Volume).DriveLetter | |
Copy-Item -Path ($ISODriveLetter +":\*") -Destination ($Volume.DriveLetter + ":\") -Recurse |
#!/usr/bin/env python3 | |
# | |
# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html | |
# and from https://gist.github.com/skochinsky/07c8e95e33d9429d81a75622b5d24c8b | |
import sys | |
import struct | |
# I'm trying not to bury the magic number... | |
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD) | |
RICH_TEXT = b'Rich' |
#!/usr/bin/env python3 | |
# | |
# Extracts prodid enumeration from a given binary file | |
# Example usage: | |
# extract-prodids.py -f msobj140-msvcrt.lib | |
# | |
import re, argparse, struct | |
# Note: care must be taken of a format of RE string as following works only | |
# with msobj140-msvcrt.lib for certain |
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org> | |
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows" | |
# IMPORTANT: This must run with Administrator privileges! | |
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action { | |
# Kill all parent processes from detected vssadmin process | |
$p = $EventArgs.NewEvent.TargetInstance | |
while ($p) { | |
$ppid = $p.ParentProcessID | |
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid" | |
Write-Host $p.ProcessID |
''' | |
Gets possible Great Cannon injections from UrlScan | |
''' | |
import requests | |
import json | |
# Insert your urlscan API Key | |
api_key = '' |
#!/usr/bin/env bash | |
# just to be safe: wipe the dist folder of previous builds | |
rm -r dist/* | |
# ensure you hav the latest versions of twine, setuptools, and wheel | |
python3 -m pip install --user --upgrade twine setuptools wheel | |
# build the package | |
python3 setup.py sdist bdist_wheel |