Eric Capuano ecapuano
ecapuano
/ share_unshare_libraries.py
Created
November 12, 2023 23:00
Share specified libraries with all Plex users
ecapuano
/ sliver_broad.yara
Last active
October 30, 2023 04:51
Inspired by NCSC UK, but modified to be much less specific. Ref: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule sliver_strings { | |
| meta: | |
| author = "Eric Capuano, inspired by NCSC UK" | |
| description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)" | |
| strings: | |
| $p1 = "/sliver/" | |
| $p2 = "sliverpb" | |
| condition: | |
| all of ($p*) | |
| } |
ecapuano
/ sliver.yara
Created
October 30, 2023 02:43
Sliver YARA Sigs painfully extracted from this damn PDF: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule sliver_github_file_paths_function_names { | |
| meta: | |
| author = "NCSC UK" | |
| description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary" | |
| strings: | |
| $p1 = "/sliver/" | |
| $p2 = "sliverpb." | |
| $fn1 = "RevToSelfReq" | |
| $fn2 = "ScreenshotReq" | |
| $fn3 = "IfconfigReq" |
ecapuano
/ Windows.Destroy.System.yaml
Created
March 1, 2023 22:54
A Velociraptor artifact that causes a Windows system to self-destruct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Destroy.System | |
| description: | | |
| **WARNING! THIS IS HIGHLY DESTRUCTIVE!** | |
| Deletes ALL of the things. UNRECOVERABLE! | |
| First deletes sensitive areas (user profiles, event logs) then moves | |
| to wiping and zeroizing the entire C: drive. | |
| The system will ultimately fail before the process finishes, but the |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A retired winlogbeats config maintained by the Recon InfoSec SOC | |
| # contains most the higher value events needed for detection and response | |
| # should be tuned for your specific environment and log volume tolerance | |
| winlogbeat.event_logs: # Global Event Logs Config | |
| - name: Security | |
| ignore_older: 24h | |
| processors: | |
| - script: | |
| when.equals.winlog.channel: Security |
ecapuano
/ secrets.yara
Created
October 10, 2022 23:47
— forked from dustyfresh/secrets.yara
yara signatures converted from trufflehog regexes for identifying secrets in text files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Yara signatures for identifying secrets in text files. Requires libmagic! | |
| Mostly all stolen from Trufflehog regexes: | |
| - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json | |
| */ | |
| import "magic" |
ecapuano
/ gist:fc0cde0e9293bff8b01783cf8666d214
Created
June 1, 2022 00:23
Velociraptor Unsigned Processes w/VT Lookups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Run against hunt results from Windows.System.Pslist | |
| // Note: Returns ONLY unsigned processes, which minimizes less critical API calls | |
| // Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert | |
| LET VTKey <= "$apikey" | |
| LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source() | |
| WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries | |
| LIMIT 50 | |
| SELECT *, {SELECT * FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results) |
ecapuano
/ wmi_event_consumer_stacking.txt
Last active
May 26, 2022 01:42
wmi_event_consumer_stacking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // run against results from Windows.Persistence.PermanentWMIEvents | |
| // https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml | |
| SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source() | |
| // filter common FPs | |
| WHERE ConsumerName != "BVTConsumer" | |
| AND ConsumerName != "SCM Event Log Consumer" | |
| AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer" | |
| AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer" | |
| AND ConsumerName != "CmdLineConsumer_WSCEAA" |
ecapuano
/ gist:13386852fb80beac4561f2bed569095e
Created
March 7, 2021 04:00
HAFNIUM IIS Log Search Patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs... | |
| # Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1 | |
| # | |
| # https://twitter.com/eric_capuano | |
| # Quick check for likely successful attacks | |
| ## Bash (faster) | |
| egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log | |
| ## PowerShell | |
| Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log |
ecapuano
/ Eradication.ps1
Created
June 27, 2020 14:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A script that will safely remove adversary footholds on systems. | |
| # | |
| # Be sure to replace your observables down below. Be careful not to | |
| # included LOLBINs as they cannot be safely killed this way. Use | |
| # Kill-Threads.ps1 for those. | |
| # | |
| # Used with great success during CF20 | |
| # | |
| # Author: Eric Capuano |
NewerOlder