Original sending to Mockbin (use a new mockbin)
[byte[]]$NTLMType2 =
@(
0x4e,0x54,0x4c,0x4d,
0x53,0x53,0x50,0x00,
0x02,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x28,0x00,0x00,
MHaggis
/ FancyNTLMBear.md
Created
September 6, 2023 13:45
https://www.virustotal.com/gui/file/52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179
MHaggis
/ T1112.yaml
Created
September 6, 2023 03:08
Atomic Red Team Test - https://twitter.com/M_haggis/status/1699056847154725107?s=20. Grab one, submit a PR! Be quick, whoever submits first gets a shirt + sticker :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: Modify Internet Zone Protocol Defaults in Current User Registry - cmd | |
| description: | | |
| This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed. | |
| To verify the effects of the test: | |
| 1. Open the Registry Editor (regedit.exe). | |
| 2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults". | |
| 3. Check for the presence of the "http" and "https" DWORD values set to `0`. | |
| Or run: | |
| ```batch |
Inventory Protocol Handlers
Splunk:
[powershell://LOLProtocolHandlers]
script = Get-Item Registry::HKEY_CLASSES_ROOT\*| Select-Object "Property", "PSChildName" | ForEach-Object { $_ | ConvertTo-Json; Write-Host "" }
#schedule = 0 0 * * *
schedule = */1 * * * *
sourcetype = PwSh:LOLProtocolHandlers
index=win
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <iostream> | |
| #include <dbghelp.h> | |
| #include <TlHelp32.h> | |
| #define IOCTL_BASE 0x80012008 | |
| constexpr DWORD IREC_IOCTL(DWORD x) { return IOCTL_BASE + x; } | |
| #define IOTCL_IREC_OPEN_PROCESS IREC_IOCTL( 0x20 ) | |
| static const char* DeviceName = R"(\\.\IREC)"; |
MHaggis
/ FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION.md
Last active
July 21, 2023 12:04
MHaggis
/ powerdropping.md
Created
June 9, 2023 20:49
My script, PowerDropping, currently accomplishes the following parts of the PowerDrop behavior:
- It sets a buffer size of 128 bytes, matching the chunk size PowerDrop uses when responses exceed this length.
- It uses an ICMPClient, which aligns with PowerDrop's use of ICMP Echo Request messages.
- It includes the use of a hard-coded IP address, similar to PowerDrop's hard-coded IP address for command and control communication.
- It includes data in the ICMP Echo Request message. While my script uses a test string, PowerDrop uses a UTF16-LE encoded string, often a simple string like "!".
- It includes a response timeout of 60 seconds, which is the same as PowerDrop's dwell time after sending a beacon.
- It uses "DRP" and "OCD" as markers, aligning with PowerDrop's use of these strings as prepending and postpending markers in responses.
MHaggis
/ Splunk_MOVEit.md
Created
June 5, 2023 15:42
Rapid7 incident response consultants have identified a method to determine what was exfiltrated from compromised MOVEit customer environments. MOVEit writes its own Windows EVTX file, which is located at C:\Windows\System32\winevt\Logs\MOVEit.evtx. The MOVEit event logs contain a single event ID (Event ID 0) that provides a plethora of information, including the following:
- File name
- File path
- File size
- IP address
- Username that performed download
MHaggis
/ Scan-LOLDrivers.ps1
Created
May 19, 2023 16:29
it works - but use with caution :) it's a bit noisy and I think it's broken
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Scan-LOLDrivers { | |
| param( | |
| [Parameter(Mandatory=$true)] | |
| [string]$path | |
| ) | |
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Security.Cryptography; | |
| using System.Security.Cryptography.X509Certificates; |
MHaggis
/ snake_queuefile.ps1
Created
May 10, 2023 16:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define the typical path of the Snake Queue File | |
| $filePath = "$env:windir\registration\" | |
| # Create the folder if it doesn't exist | |
| $null = New-Item -Path $filePath -ItemType Directory -Force | |
| # Generate a random GUID | |
| $guid = [guid]::NewGuid().ToString() | |
| # Define the file name using the generated GUID and the regex pattern |
MHaggis
/ Windows-TerminalServices-RemoteConnectionManager.md
Created
April 17, 2023 20:58
To collect Windows-TerminalServices-RemoteConnectionManager/Operational, add the following to a inputs.conf
We've found that multiline data parses better natively without having to create a props/transforms.
[WinEventLog://Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
disabled = False
renderXml = False
index = win