Original sending to Mockbin (use a new mockbin)
[byte[]]$NTLMType2 =
@(
0x4e,0x54,0x4c,0x4d,
0x53,0x53,0x50,0x00,
0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x28,0x00,0x00,
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: PrintDemon | |
| description: | | |
| Atomic Test to emulate PrintDemon. | |
| [Reference](https://github.com/BC-SECURITY/Invoke-PrintDemon) | |
| Also seen on TryHackme - https://tryhackme.com/room/dllhijacking | |
| supported_platforms: | |
| - windows | |
| input_arguments: | |
| dll_path: | |
| description: File path for ualapi.dll |
MHaggis
/ T1564.003.yaml
Created
September 13, 2023 15:46
Mockbin Atomic Test with Headless browsing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: Headless Browser Accessing Mockbin | |
| description: | | |
| The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs. | |
| supported_platforms: | |
| - windows | |
| input_arguments: | |
| bin_id: | |
| description: Mockbin.org BIN ID | |
| type: string | |
| default: f6b9a876-a826-4ac0-83b8-639d6ad516ec |
MHaggis
/ getmockbin.py
Created
September 11, 2023 14:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import os | |
| import json | |
| file_path = "ids.txt" | |
| base_url = "https://mockbin.org/bin" | |
| log_directory = "logs" | |
| script_directory = "scripts" | |
| if not os.path.exists(log_directory): |
MHaggis
/ FancyNTLMBear.md
Created
September 6, 2023 13:45
https://www.virustotal.com/gui/file/52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179
MHaggis
/ T1112.yaml
Created
September 6, 2023 03:08
Atomic Red Team Test - https://twitter.com/M_haggis/status/1699056847154725107?s=20. Grab one, submit a PR! Be quick, whoever submits first gets a shirt + sticker :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: Modify Internet Zone Protocol Defaults in Current User Registry - cmd | |
| description: | | |
| This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed. | |
| To verify the effects of the test: | |
| 1. Open the Registry Editor (regedit.exe). | |
| 2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults". | |
| 3. Check for the presence of the "http" and "https" DWORD values set to `0`. | |
| Or run: | |
| ```batch |
Inventory Protocol Handlers
Splunk:
[powershell://LOLProtocolHandlers]
script = Get-Item Registry::HKEY_CLASSES_ROOT\*| Select-Object "Property", "PSChildName" | ForEach-Object { $_ | ConvertTo-Json; Write-Host "" }
#schedule = 0 0 * * *
schedule = */1 * * * *
sourcetype = PwSh:LOLProtocolHandlers
index=win
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <iostream> | |
| #include <dbghelp.h> | |
| #include <TlHelp32.h> | |
| #define IOCTL_BASE 0x80012008 | |
| constexpr DWORD IREC_IOCTL(DWORD x) { return IOCTL_BASE + x; } | |
| #define IOTCL_IREC_OPEN_PROCESS IREC_IOCTL( 0x20 ) | |
| static const char* DeviceName = R"(\\.\IREC)"; |
MHaggis
/ FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION.md
Last active
July 21, 2023 12:04
MHaggis
/ powerdropping.md
Created
June 9, 2023 20:49
My script, PowerDropping, currently accomplishes the following parts of the PowerDrop behavior:
- It sets a buffer size of 128 bytes, matching the chunk size PowerDrop uses when responses exceed this length.
- It uses an ICMPClient, which aligns with PowerDrop's use of ICMP Echo Request messages.
- It includes the use of a hard-coded IP address, similar to PowerDrop's hard-coded IP address for command and control communication.
- It includes data in the ICMP Echo Request message. While my script uses a test string, PowerDrop uses a UTF16-LE encoded string, often a simple string like "!".
- It includes a response timeout of 60 seconds, which is the same as PowerDrop's dwell time after sending a beacon.
- It uses "DRP" and "OCD" as markers, aligning with PowerDrop's use of these strings as prepending and postpending markers in responses.
MHaggis
/ Splunk_MOVEit.md
Created
June 5, 2023 15:42
Rapid7 incident response consultants have identified a method to determine what was exfiltrated from compromised MOVEit customer environments. MOVEit writes its own Windows EVTX file, which is located at C:\Windows\System32\winevt\Logs\MOVEit.evtx. The MOVEit event logs contain a single event ID (Event ID 0) that provides a plethora of information, including the following:
- File name
- File path
- File size
- IP address
- Username that performed download