Skip to content

Instantly share code, notes, and snippets.

View ecapuano's full-sized avatar

Eric Capuano ecapuano

View GitHub Profile
@ecapuano
ecapuano / share_unshare_libraries.py
Created November 12, 2023 23:00
Share specified libraries with all Plex users
# inspired by https://gist.github.com/JonnyWong16/f8139216e2748cb367558070c1448636
# adapted by eric capuano, @[email protected]
# modified to support python3, and supports updating ALL users instead of specifying userIDs manually.
#
# first, add your PLEX_TOKEN and SERVER_ID
# second, add the libraries you want to share/unshare to SHARED_LIBRARY_IDS
# usage: python3 share_unshare_libraries.py share/unshare
import requests
from xml.dom import minidom
@ecapuano
ecapuano / sliver_broad.yara
Last active October 30, 2023 04:51
Inspired by NCSC UK, but modified to be much less specific. Ref: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
rule sliver_strings {
meta:
author = "Eric Capuano, inspired by NCSC UK"
description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)"
strings:
$p1 = "/sliver/"
$p2 = "sliverpb"
condition:
all of ($p*)
}
rule sliver_github_file_paths_function_names {
meta:
author = "NCSC UK"
description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary"
strings:
$p1 = "/sliver/"
$p2 = "sliverpb."
$fn1 = "RevToSelfReq"
$fn2 = "ScreenshotReq"
$fn3 = "IfconfigReq"
@ecapuano
ecapuano / Windows.Destroy.System.yaml
Created March 1, 2023 22:54
A Velociraptor artifact that causes a Windows system to self-destruct
name: Windows.Destroy.System
description: |
**WARNING! THIS IS HIGHLY DESTRUCTIVE!**
Deletes ALL of the things. UNRECOVERABLE!
First deletes sensitive areas (user profiles, event logs) then moves
to wiping and zeroizing the entire C: drive.
The system will ultimately fail before the process finishes, but the
@ecapuano
ecapuano / winlogbeats.yml
Created October 18, 2022 02:43
Tuned and curated Winlogbeats config file
# A retired winlogbeats config maintained by the Recon InfoSec SOC
# contains most the higher value events needed for detection and response
# should be tuned for your specific environment and log volume tolerance
winlogbeat.event_logs: # Global Event Logs Config
- name: Security
ignore_older: 24h
processors:
- script:
when.equals.winlog.channel: Security
@ecapuano
ecapuano / secrets.yara
Created October 10, 2022 23:47 — forked from dustyfresh/secrets.yara
yara signatures converted from trufflehog regexes for identifying secrets in text files
/*
Yara signatures for identifying secrets in text files. Requires libmagic!
Mostly all stolen from Trufflehog regexes:
- https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
*/
import "magic"
@ecapuano
ecapuano / gist:fc0cde0e9293bff8b01783cf8666d214
Created June 1, 2022 00:23
Velociraptor Unsigned Processes w/VT Lookups
// Run against hunt results from Windows.System.Pslist
// Note: Returns ONLY unsigned processes, which minimizes less critical API calls
// Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert
LET VTKey <= "$apikey"
LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source()
WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries
LIMIT 50
SELECT *, {SELECT * FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results)
@ecapuano
ecapuano / wmi_event_consumer_stacking.txt
Last active May 26, 2022 01:42
wmi_event_consumer_stacking
// run against results from Windows.Persistence.PermanentWMIEvents
// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml
SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
// filter common FPs
WHERE ConsumerName != "BVTConsumer"
AND ConsumerName != "SCM Event Log Consumer"
AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
AND ConsumerName != "CmdLineConsumer_WSCEAA"
@ecapuano
ecapuano / gist:13386852fb80beac4561f2bed569095e
Created March 7, 2021 04:00
HAFNIUM IIS Log Search Patterns
# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
#
# https://twitter.com/eric_capuano
# Quick check for likely successful attacks
## Bash (faster)
egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
## PowerShell
Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
# A script that will safely remove adversary footholds on systems.
#
# Be sure to replace your observables down below. Be careful not to
# included LOLBINs as they cannot be safely killed this way. Use
# Kill-Threads.ps1 for those.
#
# Used with great success during CF20
#
# Author: Eric Capuano