Skip to content

Instantly share code, notes, and snippets.

@EvanMcBroom

EvanMcBroom/fireeye-tools.md

Last active October 13, 2023 08:16
Show Gist options
  • Save EvanMcBroom/f05a7d07b23dde45857c7e29f65d868d to your computer and use it in GitHub Desktop.
Save EvanMcBroom/f05a7d07b23dde45857c7e29f65d868d to your computer and use it in GitHub Desktop.
Download ZIP
FireEye Red Team Tools - Notes
Raw
fireeye-tools.md

FireEye Red Team Tools - Notes

These are my notes on FireEye's yara rules for it's red team's tools.

These are the public projects that I could identify to be directly associated with a tool:

Project Source
AndrewSpecial https://github.com/hoangprod/AndrewSpecial
BloodHound https://github.com/BloodHoundAD/BloodHound
CobaltStrike https://www.cobaltstrike.com/
DoHC2 https://github.com/SpiderLabs/DoHC2
DotNetToJScript https://github.com/tyranid/DotNetToJScript
DueDLLigence https://github.com/fireeye/DueDLLigence
GadgetToJScript https://github.com/med0x2e/GadgetToJScript
Get-GPPAutologon https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1
Get-GPPPassword https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
GetDomainPasswordPolicy https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp
GetDomainPasswordPolicy https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp
GoRAT https://github.com/Nikait/GoRAT
Impacket https://github.com/SecureAuthCorp/impacket
InveighZero https://github.com/Kevin-Robertson/InveighZero
Invoke-WCMDump https://github.com/peewpw/Invoke-WCMDump
KeeFarce https://github.com/denandz/KeeFarce
Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles/tree/master/normal
NET-Assembly-Inject-Remote https://github.com/med0x2e/NET-Assembly-Inject-Remote
NoAmci https://github.com/med0x2e/NoAmci
PayloadsAllTheThings https://github.com/antonioCoco/PayloadsAllTheThings
pupy https://github.com/n1nj4sec/pupy
RT-EWS https://github.com/med0x2e/RT-EWS/
Rubeus https://github.com/GhostPack/Rubeus
RuralBishop https://github.com/rasta-mouse/RuralBishop
SafetyKatz https://github.com/GhostPack/SafetyKatz
Seatbelt https://github.com/GhostPack/Seatbelt
SharpDNS https://github.com/x3419/SharpDNS
SharPersist https://github.com/fireeye/SharPersist
SharpHound3 https://github.com/BloodHoundAD/SharpHound3
SharpSploit https://github.com/cobbr/SharpSploit
SharpView https://github.com/tevora-threat/SharpView
SharPyShell https://github.com/antonioCoco/SharPyShell
SharpZeroLogon https://github.com/nccgroup/nccfsas/tree/e78093a5c72a3f52e6805b54e4c2cfba1f9f87d7/Tools/SharpZeroLogon
SmbExec https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
WmiExec https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py

These are the tools with no public projects that I could identify to be directly associated with them:

  • ALLTHETHINGS (maybe antonioCoco/PayloadsAllTheThings)
  • DSHELL
  • IMPACKETOBF
  • JUSTASK
  • KEEPERSIST
  • LNKSMASHER
  • MATRYOSHKA
  • MEMCOMP
  • MOFCOMP
  • NETSHSHELLCODERUNNER
  • PGF
  • PREPSHELLCODE
  • PXELOOT
  • REDFLARE
  • RESUMEPLEASE
  • REVOLVER
  • SHARPGENERATOR
  • SHARPIVOT
  • SHARPPGREP
  • SHARPSACK
  • SHARPSCHTASK
  • SHARPSECTIONINJECTION
  • SHARPSTOMP
  • SHARPUTILS
  • SINFULOFFICE
  • UNCATEGORIZED
    • CredSnatcher
    • sharpdacl
    • sharpgopher
    • sharpnativezipper
    • sharpnfs
    • sharppatchcheck
    • sharpsqlclient
    • sharptemplate
    • sharptemplate
    • sharpwebcrawler
    • sharpziplibzipper
  • WEAPONIZE
  • WILDCHILD
  • WMIRUNNER
  • WMISPY

ADPASSHUNT / CredTheft_MSIL_ADPassHunt

Relevant Sources

  • https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
  • https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1
Details 
This tool is used to hunt for AD credentials and used via execute-assembly that looks for passwords in GPP, Autoruns and AD objects.

typelibguid = "15745B9E-A059-4AF1-A0D8-863E349CD85D"
strings:
"LDAP://"
"[GPP] Searching for passwords now..."
"Searching Group Policy Preferences (Get-GPPPasswords + Get-GPPAutologons)!"
"possibilities so far)..."
"\groups.xml
"Found interesting file:"
"\x00GetDirectories\x00"
"\x00DirectoryInfo\x00"
"\ADPassHunt\"
"\ADPassHunt.pdb"
"Usage: .\ADPassHunt.exe"
"[ADA] Searching for accounts with msSFU30Password attribute"
"[ADA] Searching for accounts with userpassword attribute"
"[GPP] Searching for passwords now"

ALLTHETHINGS / Loader_MSIL_AllTheThings

Relevant Sources

  • Maybe https://github.com/antonioCoco/PayloadsAllTheThings
Details 
typelibguid = "542ccc64-c4c3-4c03-abcd-199a11b26754"

BEACON / CobaltStrike

Relevant Sources

  • https://www.cobaltstrike.com/
  • https://github.com/rsmudge/Malleable-C2-Profiles/tree/master/normal

BELTALOWDA / HackTool_MSIL_CoreHound

Relevant Sources

  • https://github.com/GhostPack/Seatbelt

COREHOUND / HackTool_MSIL_CoreHound

Relevant Sources

  • https://github.com/BloodHoundAD/BloodHound
Details 
typelibguid = "1fff2aee-a540-4613-94ee-4f208b30c599"

DSHELL / APT_Backdoor_Win_DShell

Details 
strings:
    $dlang1 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
    $dlang2 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" ascii wide
    $dlang3 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" ascii wide
    $dlang4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
    $dlang5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
    $dlang6 = "\\..\\..\\src\\phobos\\std\\utf.d" ascii wide
    $dlang7 = "\\..\\..\\src\\phobos\\std\\file.d" ascii wide
    $dlang8 = "\\..\\..\\src\\phobos\\std\\format.d" ascii wide
    $dlang9 = "\\..\\..\\src\\phobos\\std\\base64.d" ascii wide
    $dlang10 = "\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide
    $dlang11 = "Unexpected '\\n' when converting from type const(char)[] to type int" ascii wide

DTRIM / APT_HackTool_MSIL_DTRIM

Relevant Sources

  • https://github.com/cobbr/SharpSploit
Details 
typelibguid = "7760248f-9247-4206-be42-a6952aa46da2"

DUEDLLIGENCE / HackTool_MSIL_HOLSTER / MSIL_Launcher_DUEDLLIGENCE

Relevant Sources

  • https://github.com/fireeye/DueDLLigence
Details 
typelibguid = "a8bdbba4-7291-49d1-9a1b-372de45a9d88" / HackTool_MSIL_HOLSTER
typelibguid = "73948912-cebd-48ed-85e2-85fcd1d4f560" / MSIL_Launcher_DUEDLLIGENCE

EWSRT / HackTool_HTML_EWSRT / HackTool_PS1_EWSRT

Relevant Sources

  • https://github.com/med0x2e/RT-EWS/

HTML_EWSRT ClamAV Code Snippets

setapplication=.outlookapplication
application.createobject("shell.application")
classid="clsid:0006f063-0000-0000-c000-000000000046"
.shellexecute"certutil.exe","-urlcache-split-fhttp_payload

setapplication=.outlookapplication
application.createobject("shell.application")
classid="clsid:0006f063-0000-0000-c000-000000000046"
.shellexecute"powershell.exe","-nop-whidden-encodedcommandpowershell_encoded_payload

PS1_EWSRT ClamAV Snippets

function get-mailinfo
if(!$psboundparameters.containskey('email') -and !$psboundparameters.containskey('password') -and !$psboundparameters.containskey('accountsfilename')) { get-help $myinvocation.mycommand return }
$pr_deleted_message_size_extended = new-object microsoft.exchange.webservices.data.extendedpropertydefinition(26267,` [microsoft.exchange.webservices.data.mapipropertytype]::long)
get-mailinfo
get-globaladdresslist
invoke-impersonatedauth
invoke-mailenum
invoke-generatehomepage
set-homepage

FLUFFY / APT_HackTool_MSIL_FLUFFY

Details 
strings:
    "\x00Asktgt\x00"
    "\x00Kerberoast\x00"
    "\x00HarvestCommand\x00"
    "\x00EnumerateTickets\x00"
    "[*] Action: " wide
    "\x00Fluffy.Commands\x00"

G2JS / Builder_MSIL_G2JS

Relevant Sources

  • https://github.com/tyranid/DotNetToJScript
  • https://github.com/med0x2e/GadgetToJScript
Details 
typelibguid = "AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9"
binary template = b'\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4\t\xcd!\xb8\x01L\xcd!This program cannot be run in DOS mode.\r\r\n$\x00\x00\x00\x00\x00\x00\x00PE'

code tidbits:
"System.Text.ASCIIEncoding"
"System.Security.Cryptography.FromBase64Transform"
"System.IO.MemoryStream"
"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"
"Microsoft.XMLDOM"
"Microsoft.Windows.ActCtx"
"System.IO.MemoryStream"
"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"


offsets in FireEye's internal LazyNetToJscriptLoader tool:
b'\x18^\x9eS\x99]\x15\x1b\xd2\x9c\xd8\xdc\x9a\\x1d\x13\x1b\xd8Y\x19'
"henlOZXRUb0pzY3JpcHRMb2Fk" - bad b64 string
b'azyNetToJscriptLoade'

GETDOMAINPASSWORDPOLICY / HackTool_MSIL_GETDOMAINPASSWORDPOLICY

Relevant Sources

  • https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp
Details 
typelibguid = "a5da1897-29aa-45f4-a924-561804276f08"

GPOHUNT / APT_HackTool_MSIL_GPOHUN

Relevant Sources

  • https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp
Details 
typelibguid = "751a9270-2de0-4c81-9e29-872cd6378303"

hxioc Snippets

function\s+?b64ToStream
(b,l)
ActiveXObject(
var enc
Dim enc
length, transform
Function\s+?b64Decode
(ByVal enc)
Dim xmlObj, nodeObj

IMPACKETOBF (Smbexec) / HackTool_PY_ImpacketObfuscation

Relevant Sources

  • https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py

hxioc Snippets

\\127\.0\.0\.1\\.\$\\Windows\\Temp\\setupAPI\.dev\.log$
%CoMSpEC% /q /K echo
cmd.exe
services.exe
/q /K echo 
2^>^&1
& del 
\Temp\setupAPI.dev.log
\TEMP\install.bat
\Appdata\Local\Temp\install.bat
:\Windows\Temp\install.bat
>\s*\\\\127\.0\.0\.1\\.\$\\Windows\\Temp\\
2>&1
\\CurrentControlSet\\Services\\(Windows Update Control Service|Windows 10 Defender|Windows License Key Activation|Office 365 Proxy|Microsoft Security Center)\\ImagePath$
\\CurrentControlSet\\Services\\(OneDrive Sync Center|Background Action Manager|Secure Token Messaging Service|Windows  Update)\\ImagePath$
%CoMSpEC% /q /K 
services\Windows 10 Defender
services\Windows License Key Activation
services\Office 365 Proxy
services\Microsoft Security Center
services\OneDrive Sync Center
services\Background Action Manager
services\Secure Token Messaging Service
services\Windows  Update
\Windows\Temp\setupAPI.dev.log
\Windows\Temp\setupAPI.dev.log
\/K\s*echo.*>\s*\\\\127\..* 2\^?>\^?&1
cmd.exe
windows\temp\install.bat
"%~dp0Setup.exe" /s /f
windows\temp\install.bat
/k 
/q

ClamAV Snippets

class CMDEXEC
class RemoteShell
self.services_names
import random
self.__shell CoMSpEC
self.__serviceName
random.randint(len(self.services_names))

IMPACKETOBF (Wmiexec) / HackTool_PY_ImpacketObfuscation

Relevant Sources

  • https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py

hxioc Snippets

^.:\\Windows\\[0-9]{10}[0-9a-f]{8}\.dat$
start
WmiPrvSE.exe
cmd.exe /Q /K 
1\s*>\s*\\\\127\.0\.0\.1\\ADMIN\$\\[0-9]{10}[0-9a-f]{8}\.dat\s+2>&1$
\/Q\s*\/K.*1>\s*\\\\127\.0\.0\.1\\.*\\[0-9a-f]{18}\.dat.*2>&1
cmd.exe
wmiprvse.exe
cmd.exe
\/Q\s*\/K.*1\s*>\s*\\\\.*2>&1
\Svc_Block64
^[0-9a-f]{18}\.dat$
dat
windows
windows\temp

ClamAV Snippets

import random
class WMIEXEC
class RemoteShell
str(int(time.time())
random.randint(str(uuid.uuid4()).split()
self.__shell
cmd.exe

IMPACKETOBF / HackTool_PY_ImpacketObfuscation

Relevant Sources

  • https://github.com/SecureAuthCorp/impacket

hxioc Snippets

import random
class wmiexec
class remoteshell

ClamAV Snippets

class cmdexec
class remoteshell
self.services_names
import random
import random
class wmiexec
class remoteshell
Details 
Impacket-Obfuscation is a slightly obfuscated version of the open source Impacket framework.

INVEIGHZERO / HackTool_MSIL_INVEIGHZERO

Relevant Sources

  • https://github.com/Kevin-Robertson/InveighZero
Details 
typelibguid = "113ae281-d1e5-42e7-9cc2-12d30757baf1"

JUSTASK / APT_HackTool_MSIL_JUSTASK

Details 
typelibguid = "aa59be52-7845-4fed-9ea5-1ea49085d67a"

KEEFARCE / HackTool_MSIL_KeeFarce

Relevant Sources

  • https://github.com/denandz/KeeFarce
Details 
typelibguid = "17589ea6-fcc9-44bb-92ad-d5b3eea6af03"

KEEPERSIST / HackTool_MSIL_KeePersist_1

Details 
typelibguid = "1df47db2-7bb8-47c2-9d85-5f8d3f04a884"

LNKSMASHER / Dropper_LNK_LNKSmasher

Relevant Sources

  • ``

ClamAV Snippets

import os
import argparse
random.choice(
binascii.hexlify(
"4c0000000114020000000000c0000000000000
copy /b /y
.lnk %appdata%\
&& cd %appdata% &&
ShellExec_RunDLL
Cmd
FOR
tokens=
findstr
.lnk

hxioc Snippets

dir *si.lnk /b /a-d
tokens=1 delims=[]
lnk /b /a-d
findstr /r /c
DO cmd /c %D
SHELL32.DLL,ShellExec_RunDLL
%H IN ('dir *
/c copy /b /y *
System32\*rtutil.exe
&&echo 00>>
-f -enc""odehex
more +69
-f -decod""ehex
Details 
drive serial = { 12 F7 26 BE }
file droid guid = { BC 96 28 4F 0A 46 54 42 81 B8 9F 48 64 D7 E9 A5 }
guid clsid = { E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D }
header = { 4C 00 00 00 01 14 02 }

MATRYOSHKA / APT_Builder_PY_MATRYOSHKA

ClamAV Snippets

.pop(0)])
[1].replace('unsigned char buf[] = "'
binascii.hexlify(f.read()).decode(
os.system("cargo build {0} --bin {1}".format(
shutil.which('rustc')
~/.cargo/bin
Details 
Process Hollowing

MEMCOMP / Loader_MSIL_InMemoryCompilation

Details 
typelibguid = "524d2687-0042-4f93-b695-5579f3865205"

MOFCOMP / Suspicious MOF File

hxioc Snippets

instance of __EventFilter as $TimerFilter.{.    Name = "

MSBUILDME / USERINIT PROCESS LAUNCH BY MSBUILD

hxioc Snippets

MSBuild.exe
userinit.exe

NETASSEMBLYINJECT / Loader_MSIL_NETAssemblyInject

Relevant Sources

  • https://github.com/med0x2e/NET-Assembly-Inject-Remote
Details 
typelibguid = "af09c8c3-b271-4c6c-8f48-d5f0e1d1cac6"
typelibguid = "c5e56650-dfb0-4cd9-8d06-51defdad5da1"
typelibguid = "e8fa7329-8074-4675-9588-d73f88a8b5b6"

NETSHSHELLCODERUNNER / Loader_MSIL_NetshShellCodeRunner

Details 
typelibguid = "49c045bc-59bb-4a00-85c3-4beb59b2ee12"

NOAMCI / APT_HackTool_MSIL_NOAMCI

Relevant Sources

  • https://github.com/med0x2e/NoAmci
Details 
typelibguid = "7bcccf21-7ecd-4fd4-8f77-06d461fd4d51"
typelibguid = "ef86214e-54de-41c3-b27f-efc61d0accc3"

PGF / APT_Loader_MSIL_PGF

ClamAV Snippets

from lib.payload.techniques import
_shellcode_inject_base,
 in payloadtemplate.subclasses():
payloadtemplate.variant(args.technique, args.template)
<project toolsversion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/
<usingtask
taskfactory="codetaskfactory"
<code type="class" language="cs">
public override bool execute

<#@ template language="c#" #>
<#+ namespace

<sequentialworkflowactivity x:class=
<codeactivity x:name=
<x:code>
<![cdata[
system.convert.frombase64string(
Details 
strings:
    "\x00CreateThread\x00"
    "\x00ScriptObjectStackTop\x00"
    "\x00Microsoft.JScript\x00"

hxioc Snippets

InstallUtil
:\Windows\System32\msiexec.exe
:\Windows\SysWOW64\msiexec.exe
^[A-Z]:\\Windows\\winsxs\\[^\\]+\\msiexec\.exe$
:\Program Files\KARDEX\Power Pick Global\InstallUtil.exe
:\Program Files (x86)\KARDEX\Power Pick Global\InstallUtil.exe
D:\\Applications\\[^\\]+\\Private\\[^\\]+\\.*\.exe
C:\Program Files (x86)\IBM\WinCollect Console\bin\WinCollectUserInterface.dll
\Microsoft.Workflow.Compiler.exe.lib
\UIAutomationClientsideProviders.dll.rsp
\AppData\sbscmp20_mscorwks.dll.rsp
\"C:\\Program Files( \(x86\))?\\
[-/]logfile= 
[-/]u
/showcallstack
/user=
team\s*foundation
^.:\\BUILD\\[^\\]+\\Nant\\NAnt\.exe$
[-/]LogToConsole=false
[-/]LogToConsole=true
:\Program Files\
:\Program Files (x86)\
installutil
[-/]logfile= 
[-/]u
[-/]LogToConsole=

PUPPYHOUND / HackTool_MSIL_PuppyHound

Relevant Sources

  • https://github.com/n1nj4sec/pupy
  • https://github.com/BloodHoundAD/SharpHound3
Details 
The PuppyHound variant of SharpHound.
strings:
    "PuppyHound"
    "UserDomainKey"
    "LdapBuilder"

PXELOOT / HackTool_MSIL_PXELOOT

Details 
The "PXE And Loot" (PAX) project.
typelibguid = "78B2197B-2E56-425A-9585-56EDC2C797D6"
strings:
    "_CorExeMain"
    "PXE"
    "InvestigateRPC"
    "DhcpRecon"
    "UnMountWim"
    "remote WIM image"
    "DISMWrapper"
    "findTFTPServer"
    "DHCPRequestRecon"
    "DHCPDiscoverRecon"
    "GoodieFile"
    "InfoStore"
    "execute"

REDFLARE (Gorat)

Relevant Sources

  • https://github.com/Nikait/GoRAT
Details 
Windows, MacOS, Powershell, and .NET modules of the GoRAT backdoor for RedFlare
typelibguid = ""

REDFLARE

Details 
I believe a FireEye internal C2 tool that can deploy GoRAT, keyloggers, and downloaders. Buildable for Windows, Linux, possible MacOS, and as a Python script.

RESUMEPLEASE / Trojan_Macro_RESUMEPLEASE

ClamAV Snippets

For Binary As
Range.Text
Environ(
CByte(
.SpawnInstance_
.Create(

REVOLVER / APT_HackTool_MSIL_REVOLVER

Details 
typelibguid = "a8bdbba4-7291-49d1-9a1b-372de45a9d88"
typelibguid = "b214d962-7595-440b-abef-f83ecdb999d2"

RUBEUS / HackTool_MSIL_Rubeus_1

Relevant Sources

  • https://github.com/GhostPack/Rubeus
Details 
typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06"

SAFETYKATZ / HackTool_MSIL_SAFETYKATZ

Relevant Sources

  • https://github.com/GhostPack/SafetyKatz
Details 
typelibguid = "8347E81B-89FC-42A9-B22C-F59A6A572DEC"

SHARPERSIST / HackTool_MSIL_SharPersist_2.yar

Relevant Sources

  • https://github.com/fireeye/SharPersist
Details 
typelibguid = "9D1B853E-58F1-4BA5-AEFC-5C221CA30E48"

SHARPGENERATOR / Builder_MSIL_SharpGenerator

Details 
typelibguid = "3f450977-d796-4016-bb78-c9e91c6a0f08"

SHARPIVOT / HackTool_MSIL_SharPivot

hxioc Snippets

wmiprvse.exe
svchost.exe
services.exe
taskeng.exe
cmd.exe
\sstart\s.*://
cmd.EXE /c start hpdiags://
start "C:\Program Files\internet explorer\iexplore.exe"
start iexplore http://
start curl "http://www.google.com"
start http://
rundll32.exe
url.dll\s*FileProtocolHandler.*://
3
\software\classes\
\shell\open\command\
Details 
Sharpivot adds a new protocol handler to Windows in order to execute a specified malicious command.
typelibguid = "3f450977-d796-4016-bb78-c9e91c6a0f08"

SHARPPGREP / Tool_MSIL_SharpGrep

Details 
typelibguid = "f65d75b5-a2a6-488f-b745-e67fc075f445"

SHARPSACK / APT_HackTool_MSIL_SHARPSACK

Details 
typelibguid = "1946808a-1a01-40c5-947b-8b4c3377f742"

SHARPSCHTASK / HackTool_MSIL_SharpSchtask

Details 
typelibguid = "0a64a5f4-bdb6-443c-bdc7-f6f0bf5b5d6c"

SHARPSECTIONINJECTION / Loader_MSIL_CSharpSectionInjection

Details 
typelibguid = "d77135da-0496-4b5c-9afe-e1590a4c136a"

SHARPSTOMP / HackTool_MSIL_SharpStomp

Details 
typelibguid = "41f35e79-2034-496a-8c82-86443164ada2"
strings:
    "mscoree.dll"
    "timestompfile"
    "sharpstomp"
    "GetLastWriteTime"
    "SetLastWriteTime"
    "GetCreationTime"
    "SetCreationTime"
    "GetLastAccessTime"
    "SetLastAccessTime"
    "mscoree.dll"
    "SetCreationTime"
    "GetLastAccessTime"
    "SetLastAccessTime"

SHARPUTILS / Tool_MSIL_CSharpUtils

Details 
typelibguid"2130bcd9-7dd8-4565-8414-323ec533448d"
typelibguid"319228f0-2c55-4ce1-ae87-9e21d7db1e40"
typelibguid"4471fef9-84f5-4ddd-bc0c-31f2f3e0db9e"
typelibguid"5c3bf9db-1167-4ef7-b04c-1d90a094f5c3"
typelibguid"ea383a0f-81d5-4fa8-8c57-a950da17e031"

SHARPY / Loader_MSIL_SharPy

Relevant Sources

  • https://github.com/antonioCoco/SharPyShell
Details 
typelibguid = "f6cf1d3b-3e43-4ecf-bb6d-6731610b4866"

SHARPZEROLOGON / HackTool_MSIL_SHARPZEROLOGON

Relevant Sources

  • https://github.com/nccgroup/nccfsas/tree/e78093a5c72a3f52e6805b54e4c2cfba1f9f87d7/Tools/SharpZeroLogon
Details 
typelibguid = "15ce9a3c-4609-4184-87b2-e29fc5e2b770"

SINFULOFFICE / Builder_MSIL_SinfulOffice

Details 
typelibguid = "9940e18f-e3c7-450f-801a-07dd534ccb9a"

TITOSPECIAL / APT_HackTool_MSIL_TITOSPECIAL

Relevant Sources

  • https://github.com/hoangprod/AndrewSpecial
Details 
typelibguid = "C6D94B4C-B063-4DEB-A83A-397BA08515D3"
typelibguid = "3b5320cf-74c1-494e-b2c8-a94a24380e60"
strings:
    "NtReadVirtualMemory"
    "WriteProcessMemory"
    "Minidump"
    "dumpType"
    "WriteProcessMemory"
    "bInheritHandle"
    "GetProcessById"
    "SafeHandle"
    "BeginInvoke"
    "EndInvoke"
    "ConsoleApplication1"
    "getOSInfo"
    "OpenProcess"
    "LoadLibrary"
    "GetProcAddress"

TRIMBISHOP / APT_Loader_MSIL_TRIMBISHOP

Relevant Sources

  • https://github.com/rasta-mouse/RuralBishop
Details 
typelibguid = "FE4414D9-1D7E-4EEB-B781-D278FE7A5619"
strings:
    "\x00NtMapViewOfSection\x00"
    "\x00NtOpenProcess\x00"
    "\x00NtAlertResumeThread\x00"
    "\x00LdrGetProcedureAddress\x00"
    "\x00DTrim.Execution.DynamicInvoke\x00"
    "\x00NtAlertResumeThread\x00"
    "\x00LdrGetProcedureAddress\x00"
    "\x00DTrim.Execution.DynamicInvoke\x00"
    "msg"
    "_CorExeMain"
    "RuralBishop"
    "KnightKingside"
    "ReadShellcode"
    "ReverseString"
    "DTrim"
    "QueensGambit"
    "Messages"
    "NtQueueApcThread"
    "NtAlertResumeThread"
    "NtQueryInformationThread"

UNCATEGORIZED / Various

Relevant Sources

  • https://github.com/SpiderLabs/DoHC2
  • https://github.com/tevora-threat/SharpView
  • https://github.com/x3419/SharpDNS
  • https://github.com/peewpw/Invoke-WCMDump
Details 
The hxiocs mention using dism
 - searchprotocolhost
 - and werfault for process injection.

WEAPONIZE

hxioc Snippets

:\\Windows\\(SysWOW64|system32)\\TSTheme\.exe$
cmd.exe
powershell.exe
nslookup.exe
:\Windows\Temp\
:\ProgramData\
:\Users\Public\
\AppData\Roaming\
\AppData\Local\Temp\
start
running
Explorer.exe
:\\Windows\\(SysWOW64|system32)\\TSTheme\.exe$
start
running

WILDCHILD / Loader_MSIL_WildChild

Details 
WildChild is a builder for a least HTAs
 - possibly .NET executables as well.
typelibguid = "2e71d5ff-ece4-4006-9e98-37bb724a7780"
strings:
    "processpath"
    "v4.0.30319"
    "v2.0.50727"
    "COMPLUS_Version"
    "FromBase64Transform"
    "MemoryStream"
    "entry_class"
    "DynamicInvoke"
    "Sendoff"
    "script language="

WMISHARP / HackTool_MSIL_WMISharp

Details 
typelibguid = "3a2421d9-c1aa-4fff-ad76-7fcb48ed4bff"

WMISPY / HackTool_MSIL_WMIspy

Details 
typelibguid = "5ee2bca3-01ad-489b-ab1b-bda7962e06bb"
strings:
    "_CorExeMain"
    "root\\cimv2"
    "root\\standardcimv2"
    "from MSFT_NetNeighbor"
    "from Win32_NetworkLoginProfile"
    "from Win32_IP4RouteTable"
    "from Win32_DCOMApplication"
    "from Win32_SystemDriver"
    "from Win32_Share"
    "from Win32_Process"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment