| # Download YARA (Modify if a different version is needed) | |
| wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.1.2.tar.gz | |
| tar -zxf yara-4.1.2.tar.gz | |
| cd yara-4.1.2 | |
| ./bootstrap.sh | |
| # Prerequisites | |
| sudo apt install automake libtool make gcc pkg-config libssl-dev | |
| # Build with make |
| # MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID | |
| # devices for triggering the vulnerable Windows Driver installer | |
| # credits for the Windows Driver install vuln: @j0nh4t | |
| # | |
| # https://twitter.com/j0nh4t/status/1429049506021138437 | |
| # https://twitter.com/an0n_r0/status/1429263450748895236 | |
| # | |
| # the script was developed & tested on Android LineageOS 18.1 |
| Regex | Source | |
|---|---|---|
| MSSE-[0-9a-f]{3}-server | Default Cobalt Strike Artifact Kit binaries | |
| status_[0-9a-f]{2} | Default psexec_psh | |
| postex_ssh_[0-9a-f]{4} | Default SSH beacon | |
| msagent_[0-9a-f]{2} | Default SMB beacon | |
| postex_[0-9a-f]{4} | Default Post Exploitation job (v4.2+) | |
| mojo.5688.8052.183894939787088877[0-9a-f]{2} | jquery-c2.4.2.profile | |
| mojo.5688.8052.35780273329370473[0-9a-f]{2} | jquery-c2.4.2.profile | |
| wkssvc[0-9a-f]{2} | jquery-c2.4.2.profile | |
| ntsvcs[0-9a-f]{2} | trick_ryuk.profile |
| x64_config_spawn_to_x64 | count | |
|---|---|---|
| %windir%\sysnative\RuntimeBroker.exe | 2 | |
| %windir%\sysnative\WUAUCLT.exe | 3 | |
| %windir%\sysnative\WerFault.exe | 7 | |
| %windir%\sysnative\adobe64.exe | 1 | |
| %windir%\sysnative\cmstp.exe | 1 | |
| %windir%\sysnative\dllhost.exe | 14 | |
| %windir%\sysnative\dllhost.exe -o enable | 1 | |
| %windir%\sysnative\eventvwr.exe | 1 | |
| %windir%\sysnative\gpresult.exe | 2 |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $wc = New-Object System.Net.WebClient | |
| if (!(Test-Path "C:\Tools")) { | |
| New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
| } | |
| # SYSMON | |
| # Download Sysmon | |
| $SysmonDirectory = "C:\Tools\Sysmon\" |
| import argparse | |
| import yara | |
| from colorama import init, Fore, Back, Style | |
| init() | |
| args_parser = argparse.ArgumentParser() | |
| args_parser.add_argument('-f', '--file', help='cobaltstrike shellcode exe file', type=str, required=True) | |
| args_parser.add_argument('-o', '--out', help='output file', type=str, required=False) | |
| args = args_parser.parse_args() |
Step 1) Start an AMSI ETW trace from an elevated command prompt
logman start trace AMSITrace -p Microsoft-Antimalware-Scan-Interface (Event1) -o amsi.etl -ets
Step 2) Run your evil maldoc or script. Note: AMSI can capture runtime context of VBA, Excel4, JScript, VBScript, PowerShell, WMI, and .NET (4.8+) in-mem assembly loads
Step 3) Stop the AMSI trace
| ########## | |
| # Tweaked Win10 Initial Setup Script | |
| # Primary Author: Disassembler <[email protected]> | |
| # Primary Author Source: https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| # Tweaked Source: https://gist.github.com/alirobe/7f3b34ad89a159e6daa1/ | |
| # | |
| # If you're a power user looking to tweak your machinea, or doing larger roll-out.. | |
| # Use the @Disassembler0 script instead. It'll probably be more up-to-date than mine: | |
| # https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| # |
| # A script that will safely remove adversary footholds on systems. | |
| # | |
| # Be sure to replace your observables down below. Be careful not to | |
| # included LOLBINs as they cannot be safely killed this way. Use | |
| # Kill-Threads.ps1 for those. | |
| # | |
| # Used with great success during CF20 | |
| # | |
| # Author: Eric Capuano |
