This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//===============================================================================================// | |
// This is a stub for the actuall functionality of the DLL. | |
//===============================================================================================// | |
#include "ReflectiveLoader.h" | |
#include <stdio.h> | |
// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are | |
// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own | |
// DllMain and use the LoadRemoteLibraryR() API to inject this DLL. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule C3_reflective_dll_artefact { | |
meta: | |
description = "C3 Reflective DLL Artefacts" | |
author = "ajpc500" | |
date = "2021-06-09" | |
strings: | |
$s1 = "NodeRelayDll_r64.dll" | |
$s2 = "NodeRelayDll_r86.dll" | |
$sx = "StartNodeRelay" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule SharpSphere { | |
meta: | |
description = "Strings in SharpSphere binary." | |
author = "Alfie Champion (ajpc500)" | |
date = "2021-06-12" | |
strings: | |
$s0 = "SharpSphere" ascii wide | |
$s1 = "Upload file to target VM" ascii wide | |
$s2 = "Download file from target VM" ascii wide | |
$s3 = "[x] Attempting to execute with cmd /c the following command:" wide |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
$wc = New-Object System.Net.WebClient | |
if (!(Test-Path "C:\Tools")) { | |
New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
} | |
# SYSMON | |
# Download Sysmon | |
$SysmonDirectory = "C:\Tools\Sysmon\" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule PEs_converted_to_UUID { | |
meta: | |
description = "Loading PE shellcode through UUIDs" | |
author = "ajpc500" | |
date = "2021-01-24" | |
reference_url1 = "https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/" | |
reference_url2 = "https://gist.github.com/rxwx/c5e0e5bba8c272eb6daa587115ae0014#file-uuid-c" | |
strings: | |
// UUIDs for "This program cannot be run in DOS mode" | |
$s1 = "70207369-6f72-7267-616d-2063616e6e6f" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from uuid import UUID | |
import os | |
import sys | |
# Usage: python3 binToUUIDs.py shellcode.bin [--print] | |
print(""" | |
____ _ _______ _ _ _ _ _____ _____ | |
| _ \(_) |__ __| | | | | | | |_ _| __ \ | |
| |_) |_ _ __ | | ___ | | | | | | | | | | | | |___ |