- SPAirPortDataType
- SPApplicationsDataType
- SPAudioDataType
- SPBluetoothDataType
- SPCameraDataType
- SPCardReaderDataType
- SPConfigurationProfileDataType
- SPDeveloperToolsDataType
- SPDiagnosticsDataType
- SPDisabledSoftwareDataType
Nasreddine Bencherchali nasbench
📚
nasbench
/ system_profiler_data_types.md
Created
January 2, 2024 10:52
Command Output: `system_profiler -listDataTypes`
nasbench
/ ATPSiPolicy.xml
Created
September 12, 2023 19:58
— forked from mgraeber-rc/ATPSiPolicy.xml
Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.0.0</VersionEx> | |
| <PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> | |
| <Rule> |
nasbench
/ RMM-detection.md
Created
May 7, 2023 13:07
— forked from brokensound77/RMM-detection.md
Detection Engineering: RMM analysis
The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.
- if the software is not used in the envrionment
- could it be legitimate by a random empoyee?
- is it an attacker BYOL
- even so, all occurrences could probably be considered suspicious
- if it is used in the environment
- is every use of it legitimate? Probably not
- this also creates significant living off the land (LOL) opportunity
nasbench
/ shellBigInt.cs
Created
May 6, 2023 22:43
— forked from djhohnstein/shellBigInt.cs
Shellcode Stuffed in BigInteger
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sing System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee |
nasbench
/ howto.txt
Created
May 5, 2023 10:07
— forked from andrewkroh/howto.txt
Microsoft-Windows-Windows Defender Event Log Message Resources
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 800, AntiVirus | |
| 801, AntiSpyware | |
| 802, Antimalware | |
| 803, Full | |
| 804, Delta | |
| 805, Full Scan | |
| 806, Quick Scan | |
| 807, Custom Scan | |
| 808, Remove | |
| 809, Quarantine |
You can execute commands in the context of an AppX Package to gain access to it's virtualized resources (example virtualized registry keys or files)
Here are the steps to follow in order to create a malicious CHM file. As used by APT37
- Download the HTML Help Workshop (Htmlhelp.exe) from MSDN. If the link is dead you can use the archive version here
- Once installed you should have a folder
C:\Program Files (x86)\HTML Help Workshopand inside theMicrosoft HTML Help Compiler (hhc.exe) - We need to create 3 files:
- Project File
.hpp - HTML File
.htm
- Project File
- Table of Contents File
.hhc
This binary can be used as a LOLBIN as described here
- The arguments flags are meaningless only the order is important. This means as long as you provide exactly 6 flags and their value the binary will still work. Here are the exact positions for reference:
// Usage: --file <fullyResolvedPath> --processId <processId> --dumpType <dumpType>
nasbench
/ Microsoft.NodejsTools.PressAnyKey.md
Created
April 11, 2023 14:55
VisualStudio NodejsTools PressAnyKey Arbitrary Binary Execution
This binary can be used as a LOLBIN as described here.
- The arguments number must be at least 3
- The first first argument can be anything (instead of
both,normalorabnormal). Since theswitchclause doesn't specify a default case. And theflagvariable is set totruebefore the check. - The second argument also can be anything and it will be written to the execution path with the contents being the PID of the process
File.WriteAllText(args[1], process.Id.ToString()); - The thrid argument is passed directly to
ProcessStartInfoand is executedProcess.Start(startInfo);. Hence anything can be called
nasbench
/ pwsh_dirty_words.yml
Last active
January 10, 2024 13:58
List of suspicious strings used by PowerShell `SuspiciousContentChecker` function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: System.Management.Automation.dll | |
| # This list is used to determin if a ScriptBlock contains potential suspicious content | |
| # If a match is found an automatic 4104 with a "warning" level is generated. | |
| # https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs | |
| - "Add-Type" | |
| - "AddSecurityPackage" | |
| - "AdjustTokenPrivileges" | |
| - "AllocHGlobal" | |
| - "BindingFlags" | |
| - "Bypass" |
NewerOlder