iam1980/resources.md

Last active August 16, 2023 18:55

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/iam1980/0155d277b03ec535291a1b0a788b3812.js"></script>
Save iam1980/0155d277b03ec535291a1b0a788b3812 to your computer and use it in GitHub Desktop.

Download ZIP

Shadow Brokers EQGRP Lost in Translation resources

Raw

resources.md

Shadow Brokers EQGRP Lost in Translation resources - work in progress

scrapped from @x0rz,@etlow,@Dinosn,@hackerfantastic,@highmeh,@cyb3rops and others

Repositories

Analysis

A quick analysis of the latest Shadow Brokers dump https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/
Timestamps https://gist.github.com/Te-k/66b1fc143f12987bea7a71a39db9af30
Shadow Brokers Exploit Reference Table https://docs.google.com/spreadsheets/d/1sD4rebofrkO9Rectt5S3Bzw6RnPpbJrMV-L1mS10HQc/edit#gid=1602324093
Equation Group Dump Analysis and Full RCE on Win7 on MS17-010 with Cobalt Strike https://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully-patched-cobalt-strike/
YARA IDS rules https://github.com/Neo23x0/signature-base/blob/master/yara/apt_eqgrp.yar#L1217
Easter Egg Hunt with the Shadow Brokers https://www.myhackerhouse.com/easter-egg-hunt_greetz/
ANALYZING THE DOUBLEPULSAR KERNEL DLL INJECTION TECHNIQUE https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
Windows exploits dump by "TheShadowBrokers" - What you need to know/do http://blog.comsecglobal.com/2017/04/windows-exploits-shadowbrokers.html
DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis https://zerosum0x0.blogspot.co.uk/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Tutorials/Demos

HOW 2 SETUP + INSTALL FUZZBUNCH & DANDERSPRITZ https://gist.github.com/thomhastings/4cddfc1d00c43e1b0b60bd6076c6c0a3
From git clone to Pwned - Owning Windows with DoublePulsar and EternalBlue (Part 1) http://www.pwn3d.org/posts/1721872-from-git-clone-to-pwned-owning-windows-with-doublepulsar-and-eternalblue-part-1
A quick look at the NSA exploits & Dander Spiritz trojan https://hackernoon.com/a-quick-look-at-the-nsa-exploits-dander-spiritz-trojan-1b5428b0ee65
Fuzzbunch on kali via wine: https://github.com/knightmare2600/ShadowBrokers/blob/master/Lost_In_Translation/FUZZBUNCH_linux.txt
MS17-010 exploit with ELEGANTBLUE in FUZZBUNCH for implant DLL deployment using kernel DOUBLEPULSAR https://twitter.com/hackerfantastic/status/853536831056596992
From git clone to Pwned - Owning Windows with DoublePulsar and EternalBlue (Part 2) http://www.pwn3d.org/posts/1723940-from-git-clone-to-pwned-owning-windows-with-doublepulsar-and-eternalblue-part-2
From git clone to Pwned - Owning Windows with DoublePulsar and EternalBlue (Part 3) http://www.pwn3d.org/posts/1724109-from-git-clone-to-pwned-owning-windows-with-doublepulsar-and-eternalblue-part-3
EternalPulsar — A practical example of a made up name https://medium.com/@xNymia/eternalpulsar-a-practical-example-of-a-made-up-name-629737170a9e
HOW TO EXPLOIT ETERNALBLUE & DOUBLEPULSAR TO GET AN EMPIRE/METERPRETER SESSION ON WINDOWS 7/2008 https://www.exploit-db.com/docs/41896.pdf

Metasploit modules

Microsoft Windows MS17-010 SMB Remote Code Execution https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment