petergs

Claude Code Forensics Artifacts

A few notes on investigating execution of malicious skills via Claude Code

Plugins, Marketplaces, & Skills

MacOS/Linux

# installed plugins 
$> cat ~/.claude/plugins/installed_plugins.json
{
  "version": 2,

petergs

terraform plan -out=tfplan
terraform show tfplan | less -R

petergs

# 1. install iamlive 
brew install iann0036/iamlive/iamlive

# 2. run iamlive 
iamlive --mode proxy --output-file readonly.json --force-wildcard-resource 

# 3. in a separate terraform window
export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem

petergs

<#
    File: Invoke-EnumerateAzureBlobs.ps1
    Author: Karl Fosaaen (@kfosaaen), NetSPI - 2018
    Description: PowerShell function for enumerating public Azure Blob file resources.
    Parts of the Permutations.txt file borrowed from - https://github.com/brianwarehime/inSp3ctor

    Small updates by @petergs captured in these PRs:
    - https://github.com/NetSPI/MicroBurst/pull/53
    - https://github.com/NetSPI/MicroBurst/pull/54
#>

petergs

Bookmarks

MacOS

MacOS DFIR

Apple Unified Log

• https://www.kandji.io/blog/mac-logging-and-the-log-command-a-guide-for-apple-admins
• https://www.crowdstrike.com/en-us/blog/how-to-leverage-apple-unified-log-for-incident-response/
• https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html

Microsoft

Azure / Entra / M365

petergs

import requests
import json
import pathlib
import sys

def upload(access_token: str, file_path: str, file_name: str):
    headers = {
        'Authorization': f'Bearer {access_token}',
        'Content-Type': 'text/plain'
    }

petergs

Microsoft Graph CLI Cheatsheet

I've generally found the Microsoft Graph CLI (mgc) hard to work with. In many cases, harder than using the Graph API endpoints directly or language-specific SDKs. In general, Entra directory-related commands seem to work well, but other parts of the Graph API are rough around the edges from a usability perspective.

This doc provides some quick examples so I never have to work through the trial-and-error of figuring them out again.

OneDrive

Listing and downloading items

petergs

#!/bin/bash
curl "https://login.microsoftonline.com/getuserrealm.srf?login=$1&json=1"

petergs

Fidelity SMS Phishing Campaign November 2024

Overview

Fidelity-themed phishing campaign observed November 2024

Techniques & Tactics

• Use of CloudFlare anti-bot features to prevent automated access
• Use of server-based User-Agent checks to discourage access by non-phone devices
• Use of Javascript-based checks on viewport dimensions and User-Agent to discourage access by non-phone devices
• Phishing

petergs

Entra ID First Party Microsoft Applications

csv of pre-consented first-party applications listed via the servicePrincipals endpoint

The list (microsoft-first-party-applications.csv) can be generated via

mgc service-principals list --all --filter "appOwnerOrganizationId eq f8cdef31-a31e-4b4a-93e4-5f571e91255a" --count true --consistency-level eventual --select appId,displayName | jq -r '.value[] | [.appId, .displayName] | @csv'

This list is more extensive, but is missing entries compared to this page from Microsoft Documentation: Verify first-party Microsoft applications in sign-in reports. These applications are captured in applications-from-docs.csv.