jaredhaight

Resources

Malware examples

• Fireeye HammerToss PDF: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
• 7 Years of Dukes: https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/
• RTM Banking malware: https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
• Lowball Malware: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
• CloudAtlas malware: https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

Security Tools and Resources

jaredhaight

$token = '' # Get from: https://api.slack.com/custom-integrations/legacy-tokens
$user = Invoke-RestMethod -Uri "https://slack.com/api/auth.test?token=$token"

# Making sure we're on the right account. Thanks @veegr!
$user | Select-Object Url, Team, User | format-list
Write-Output "Is this the correct account?"
$choice = Read-Host "[Y/N]" 
Switch ($choice) { 
  Y {Write-Output "`nDeleting with great vengeance and furious anger`n"} 
  N {

jaredhaight

::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) 
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

jaredhaight

Blogging Stuff

• Wordpress
• Medium
• Blogger
• Github Pages
• Webhook
• Ghost
• SquareSpace

Open Source Projects

jaredhaight

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="windowsPE">
        <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SetupUILanguage>
                <UILanguage>en-US</UILanguage>
            </SetupUILanguage>
            <InputLocale>0c09:00000409</InputLocale>
            <SystemLocale>en-US</SystemLocale>
            <UILanguage>en-US</UILanguage>

jaredhaight

#!/bin/bash
#
# DESCRIPTION:
#
#   Set the bash prompt according to:
#    * the active virtualenv
#    * the branch/status of the current git repository
#    * the return value of the previous command
#    * the fact you just came from Windows and are used to having newlines in
#      your prompts.

jaredhaight

using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
 
/*

jaredhaight

# Stolen from here: https://social.technet.microsoft.com/Forums/en-US/bad2dbb1-5deb-48b8-8f8c-45e2b353dba0/how-do-i-get-video-file-duration-in-powershell-script?forum=winserverpowershell#de6ee12a-1c1e-474f-b5ba-ece4b17e0144

function Get-VideoLength {
  param (
    $Path
  )

  if (-not $Path) {
    $Path = (Get-Location).Path
  }

jaredhaight

function Split-String {
  param (
    [Parameter(Mandatory = $true)]
    [string]$String,
    [int]$MinLength = 50,
    [int]$MaxLength = 120,
    [string]$VariableName = "data",
    [ValidateSet("PowerShell", "CSharp")]
    $Format = "PowerShell"
  )

jaredhaight

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: