Raphael rsmudge
rsmudge
/ search.cna
Last active
May 3, 2024 16:02
Search scrollback for a Beacon (even the stuff that's cut off)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # search for and reproduce output that matches a specific regex. | |
| alias search { | |
| local('$regex $regex2 $entry $event $bid $out $when'); | |
| # take all of the args, without processing/parsing as normal. | |
| if (strlen($0) > 7) { | |
| $regex = substr($0, 7); | |
| } | |
| else { | |
| berror($1, "search [regex]"); |
rsmudge
/ checkit.cna
Created
September 18, 2020 16:44
Fire a beacon_revisited event when we get a checkin event that occurs some window of time (e.g., 60s here) after the last checkin event. Keep in mind checkin is only fired on task acknowledgement. If you set the window to 8 hours and don't interact with the Beacon for 8 hours--you'll fire revisited.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global('%checkins'); | |
| on beacon_checkin { | |
| local('$last'); | |
| if ($1 in %checkins) { | |
| $last = %checkins[$1]; | |
| # has it been 1m since the last task acknowledgement? | |
| if (($3 - $last) > 60000) { |
rsmudge
/ mkimport.cna
Created
January 14, 2021 20:17
import creds from a file with mimikatz output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # import mimikatz creds from a file. | |
| # go to View -> Script Console | |
| # load this script | |
| # type importcreds /path/to/file.txt | |
| sub process { | |
| if ($luser eq "(null)" || $luser eq "") { | |
| return; | |
| } |
OlderNewer