MrThreat
MrThreat
/ gist:a3f210baa4ff9009352d11c3b88565ab
Created
October 18, 2017 04:51
quick pcap parser for malware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #simple pcap extractor for malware analysis | |
| #@grotezinfosec | |
| #arguments passed | |
| pcap=$1 | |
| clear | |
| if [[ $# -lt 1 ]] ; then | |
| echo "========================" | |
| echo "= Usage =" | |
| echo "=./pcap_check PCAP-FILE=" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Roddendoc | |
| { | |
| meta: | |
| author = "Grotez" | |
| date = "2017-10-18" | |
| description = "datenight" | |
| hash0 = "707feb462bc1845b66eb137f517858a8" | |
| sample_filetype = "office" | |
| yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" | |
| strings: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule Rodden | |
| { | |
| meta: | |
| author = "Grotez" | |
| date = "2017-10-18" | |
| description = "datenight" | |
| hash0 = "e523f6c34f9cb9a3652d1fad38b2329b" | |
| sample_filetype = "exe" | |
| yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" | |
| strings: |
MrThreat
/ gist:a602f95320a85043e60a0c661cccd582
Created
October 19, 2017 03:37
Finding files linux file system
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| grep pattern files – Search for the pattern in files | |
| grep -r pattern dir – Search recursively for the pattern in dir | |
| command | grep pattern – Search for the pattern in the output of the command | |
| locate file – Find all instances of the file | |
| find / -name filename – Starting with the root directory, look for the file called filename |
MrThreat
/ Block DDE attacks Windows
Created
November 10, 2017 02:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail] |
MrThreat
/ findbadlinkers.yar
Created
September 17, 2018 05:25
Bsides malware yara rule APT lnk files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule lnkfileoverRFC | |
| { | |
| strings: | |
| $header = {4c00 0000 0114 0200 0000} //lnk file header | |
| $command = "C:\\Windows\\System32\\cmd.exe" fullword ascii //cmd is precursor to findstr | |
| $command2 = {2F 00 63 00 20 00 66 00 69 00 6E 00 64 00 73 00 74 00 72} //findstr in hex | |
| $base64 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD" ascii //some base64 filler, needed to work with routine | |
| $cert = "l -decode" ascii //base64 decoder | |
| condition: | |
| filesize > 15KB and ($header at 0) and $command and $command2 and $cert and $base64 |
OlderNewer