bontchev

Links describing the leaked EQ Group tools for Windows

Repositories and ports

• Lost in Translation - A repository of the leaked tools

• MS17-010 - Port of some of the exploits to Windows 10

Installation and usage guides

curi0usJack

	# 
	# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	# 
	# Include /etc/apache2/redirect.rules
	#

chokepoint

#!/usr/bin/env python3

import censys.certificates
import censys.ipv4
from sys import argv

UID = "**CHANGE**"
SECRET = "**CHANGE**"

def is_cloudflare(dn):

infosecn1nja

#!/bin/bash

if [[ $# -le 1 ]] ; then
    echo './obfuscate-mimikatz.sh Invoke-Mimikatz.ps1 newfile.ps1'
    exit 1
fi

randstr(){< /dev/urandom tr -dc a-zA-Z0-9 | head -c${1:-8};}

cp $1 $2

rsmudge

# demonstrate how to add a popup handler to a Swing component in Sleep

import java.awt.*;

import javax.swing.*;
import javax.swing.event.*;

# safely add a listener to show a popup
sub setupPopupMenu {
	# we're using fork({}) to run this in a separate Aggressor Script environment.

N3mes1s

### ref: https://twitter.com/dez_/status/986614411711442944

Write-Host "Current Pid: " $Pid
(Get-Process -Id $pid).priorityclass = "RealTime"
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 0.0001 WHERE TargetInstance ISA "Win32_Process"'

$action = {
    $e = $Event.SourceEventArgs.NewEvent.TargetInstance    
    $fmt = 'ProcessStarted: (ID={0,5}, Parent={1,5}, cmdline={2}, ExecutablePath="{3}, Name={4}")'
    $msg = $fmt -f $e.ProcessId, $e.ParentProcessId, $e.CommandLine, $e.ExecutablePath, $e.Name                  

bohops

RDP Eavesdropping and Hijacking
*******************************
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions.  Here is a gist of (semi) interesting findings
that is not very new...

===========
Inspiration
===========
As you may already know...

zznop

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, [email protected]
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license.  See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF

7MinSec

Introduction

In episode 338 of the 7 Minute Security podcast, I talked about a recent engagement where I helped a customer do a bit of a SIEM solution bake-off. This gist is the companion to that episode, and is broken down into the following two sections:

• Questionnaire - a series of questions you can ask SIEM vendors to gather as many data points about their products and services as possible

• SIEM tests - a few tests you can conduct on your internal/external network to see if your SIEM solution indeed coughs up alerts on some things it should indeed whine about

Questionnaire

Introduction / Purpose

mattifestation

$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"

New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41