jymcheong

<#
.SYNOPSIS

This script demonstrates the ability to capture and tamper with Web sessions.  
For secure sessions, this is done by dynamically writing certificates to match the requested domain. 
This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack. 

Function: Interceptor
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

jymcheong

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

jymcheong

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;

namespace DGAtester
{

jymcheong

$Dir = get-childitem "C:\" -recurse
$List = $Dir | where {$_.extension -eq ".exe"}
$List | Select-Object -ExpandProperty fullname | out-file EXEs.txt

jymcheong

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
iex "choco install nxlog -y"
$client = New-Object System.Net.WebClient

# download & save the correct nxlog config which includes Sysmon, Nxlog WILL FAIL if Sysmon is not installed
if ([System.IntPtr]::Size -eq 4) { # I also assumed no change in default install paths
    $url = "https://raw.githubusercontent.com/jymcheong/SysmonResources/master/6.%20Sample%20Data/nxlog.conf32.txt" 
    $path = "C:\Program Files\nxlog\conf\nxlog.conf"    
} else {     
    $url = "https://raw.githubusercontent.com/jymcheong/SysmonResources/master/6.%20Sample%20Data/nxlog.conf64.txt" 

jymcheong

#include <File.au3>
#Include <WinAPI.au3>
#Include <WindowsConstants.au3>

Func Win_R($fullpath)
   $splitArray = StringSplit($fullpath,"\")
   $arraySize = UBound($splitArray)
   Send("#r")
   WinWait("Run", "", 10)
   Send($fullpath & "{ENTER}")

jymcheong

const OrientDBClient = require("orientjs").OrientDBClient;
var _session, _client, _handle;

OrientDBClient.connect({
  host: "localhost",
  port: 2424
}).then(client => {
    _client = client;
    client.session({ name: "YOURDB", username: "YOURID", password: "YOURPASSWORD" })
    .then(session => {

jymcheong

::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) 
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

jymcheong

# Author: Matthew Graeber (@mattifestation)

$Epoch = Get-Date '01/01/1970'

# Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/
$StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName
$TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone)

# Parse out all the LogonGUID fields for sysmon ProcessCreate events
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object {

jymcheong

#!/bin/bash
#
# autosshd This script starts and stops the autossh daemon
#
# chkconfig: 2345 95 15
# processname: autosshd
# description: autosshd is the autossh daemon.

# Source function library.
. /etc/rc.d/init.d/functions