Skip to content

Instantly share code, notes, and snippets.

View Cyb3rWard0g's full-sized avatar
🐶
Working from home

Roberto Rodriguez Cyb3rWard0g

🐶
Working from home
1.9k followers · 2 following
View GitHub Profile
@Cyb3rWard0g
Cyb3rWard0g / seatbelt_appdata_basic_exploration.txt
Created May 27, 2020 15:32
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\"
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\"
\AppData\\Roaming\\gcloud\\credentials.db"
@Cyb3rWard0g
Cyb3rWard0g / seatbelt_wmi_query_strings_basic_exploration.txt
Created May 27, 2020 15:52
SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')"
SELECT * FROM win32_networkconnection"
Select * from Win32_ComputerSystem"
SELECT * FROM Win32_DeviceGuard"
SELECT * FROM win32_service"
SELECT * FROM AntiVirusProduct"
SELECT * FROM MSFT_DNSClientCache"
SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process"
SELECT * FROM Win32_Process"
SELECT * FROM Win32_Process WHERE SessionID != 0"
@Cyb3rWard0g
Cyb3rWard0g / COMPlus_ETWEnabled_detection_notes.md
Last active November 23, 2023 20:05

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
  • Windows
@Cyb3rWard0g
Cyb3rWard0g / win_camera_microphone_access.yml
Created June 7, 2020 19:27
title: Processes Accessing the microphone and webcam
id: 29976992-e6d6-4fce-8f9d-e7b9be4efbb6
status: experimental
description: Potential adversaries accessing the microphone and webcam in an endpoint.
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
tags:
@Cyb3rWard0g
Cyb3rWard0g / audit_rule_microphone_webcam_access.md
Created June 7, 2020 19:41

Clone Set-Audit Rule Project

git clone https://github.com/OTRF/Set-AuditRule
cd Set-AuditRule

Create Rule

@Cyb3rWard0g
Cyb3rWard0g / 3_B_2_Bypass_User_Account_Control.yaml
Last active June 11, 2020 20:18
vendor: OTR Community
step: 3.B.2
procedure: Executed elevated PowerShell payload
criteria: High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
technique:
name: Bypass User Account Control
id: T1088
issue: https://github.com/OTRF/detection-hackathon-apt29/issues/6
detections:
- main_type: Telemetry
@Cyb3rWard0g
Cyb3rWard0g / create_table_report.py
Created June 11, 2020 22:06
from jinja2 import Template
import copy
import yaml
import glob
from os import path
print("[+] Processing files inside {} directory".format('../docs/evals/apt29/steps'))
# ******** Open every forge yaml file available ****************
print("[+] Opening report yaml files..")
yaml_files = sorted(glob.glob(path.join(path.dirname(__file__), '../docs/evals/apt29/steps', "*.yaml")), key=lambda x: (int(path.basename(x).split(".")[0]), str(path.basename(x).split(".")[1]), int(path.basename(x).split(".")[2].split("_")[0])))
@Cyb3rWard0g
Cyb3rWard0g / evals_table_jinja.md
Created June 11, 2020 22:10

Free Telemetry Report

Step Procedure Criteria Technique Detections
{% for s in renderyaml %} {{s['step']}} {{s['procedure']}} {{s['criteria']}} {{s['technique']['name']}}
{% endfor %}
@Cyb3rWard0g
Cyb3rWard0g / evals_detection_jinja.md
Created June 11, 2020 22:12

{{renderquery['id']}}

Data Sources

{% for d in renderquery['data_sources'] %}* {{d}}
{% endfor %}

Logic

{{renderquery['logic']}}
@Cyb3rWard0g
Cyb3rWard0g / Mute_Sysmon_initial_nodes.md
Last active July 15, 2020 12:29

Registry keys Deleted (Apparently)

  • HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
  • HKLM\System\CurrentControlSet\Control\WMI\Security\08dd09cd-9050-5a49-02f8-46fd443360a8
  • HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences\0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}