Skip to content

Instantly share code, notes, and snippets.

@ajpc500
ajpc500 / ReflectedDll.c
Created December 15, 2021 14:39 — forked from Cracked5pider/ReflectedDll.c
Get output from injected reflected dll
//===============================================================================================//
// This is a stub for the actuall functionality of the DLL.
//===============================================================================================//
#include "ReflectiveLoader.h"
#include <stdio.h>
// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
@ajpc500
ajpc500 / c3_reflective_dll_artefacts.yara
Created June 16, 2021 20:06
Yara rule to detect C3 shellcode in-memory based on known strings
rule C3_reflective_dll_artefact {
meta:
description = "C3 Reflective DLL Artefacts"
author = "ajpc500"
date = "2021-06-09"
strings:
$s1 = "NodeRelayDll_r64.dll"
$s2 = "NodeRelayDll_r86.dll"
$sx = "StartNodeRelay"
@ajpc500
ajpc500 / sharpsphere.yara
Created June 16, 2021 18:17
Yara rule to detect James Coote's (@jkcoote) SharpSphere tool, either on-disk or in-memory.
rule SharpSphere {
meta:
description = "Strings in SharpSphere binary."
author = "Alfie Champion (ajpc500)"
date = "2021-06-12"
strings:
$s0 = "SharpSphere" ascii wide
$s1 = "Upload file to target VM" ascii wide
$s2 = "Download file from target VM" ascii wide
$s3 = "[x] Attempting to execute with cmd /c the following command:" wide
@ajpc500
ajpc500 / log-forwarding-with-etw.ps1
Last active June 29, 2023 01:31
Quick-and-dirty PowerShell script to install Sysmon (SwiftOnSecurity config), SilkService and Winlogbeat, and forward logs to HELK based on IP set in environment variable "HELK_IP" (see Line 224).
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$wc = New-Object System.Net.WebClient
if (!(Test-Path "C:\Tools")) {
New-Item -Path "C:\" -Name "Tools" -ItemType "directory"
}
# SYSMON
# Download Sysmon
$SysmonDirectory = "C:\Tools\Sysmon\"
@ajpc500
ajpc500 / binToUUIDs.yara
Created January 24, 2021 18:04
PoC Yara rule for PE shellcode artefacts in UUIDs
rule PEs_converted_to_UUID {
meta:
description = "Loading PE shellcode through UUIDs"
author = "ajpc500"
date = "2021-01-24"
reference_url1 = "https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/"
reference_url2 = "https://gist.github.com/rxwx/c5e0e5bba8c272eb6daa587115ae0014#file-uuid-c"
strings:
// UUIDs for "This program cannot be run in DOS mode"
$s1 = "70207369-6f72-7267-616d-2063616e6e6f"
@ajpc500
ajpc500 / binToUUIDs.py
Created January 24, 2021 18:00
Convert shellcode file to UUIDs
from uuid import UUID
import os
import sys
# Usage: python3 binToUUIDs.py shellcode.bin [--print]
print("""
____ _ _______ _ _ _ _ _____ _____
| _ \(_) |__ __| | | | | | | |_ _| __ \
| |_) |_ _ __ | | ___ | | | | | | | | | | | | |___