wesinator

// https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain

rule RTF_weaponizer_objh300
{
meta:
    author        = "Anomali"
    tlp           = "GREEN"
    version       = "1.0"
    date          = "2018-11-13"
    hash          = "9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e"

wesinator

# https://www.openrce.org/repositories/users/RolfRolles/ExportHashesToIDC.py
import pefile
import sys
import os

# Convenience functions
def rol32(val, amt):
	return ( (val << amt) & 0xffffffff ) | ( ( val >> (32 - amt) ) & 0xffffffff )

def ror32(val, amt):

wesinator

# https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

from ctypes import c_uint32
from struct import pack,unpack

def decrypt(data):
    p1 = p2 = p3 = p4 = unpack("<L", data[0:4])[0];
    pos = 0
    decdata = ""
    

wesinator

# https://threatconnect.com/divide-and-conquer/
def quarian_session_key(C2_nonce, implant_nonce):
    session_key = ''
    
    for i in range(0,8):
        c = C2_nonce[i] ^ implant_nonce[i]
  
        if c == 0:
            c = ~i
        

wesinator

# https://www.netscout.com/blog/asert/tunneling-under-sands

import binascii
data = 'EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0'
exfil_data = []
for x in range(int(len(data)/2)):
    try:
        exfil_data.append(binascii.unhexlify(data[x] + data[int(len(data)/2)+x]))
    except:
        exfil_data.append(data[x] + data[int(len(data)/2)+x])

wesinator

#!/bin/bash

# Put a list of IPs into UFW
IPs=ips.txt
for ip in `cat $IPs` ; do sudo ufw deny out to $ip; done

wesinator

Goal

Detect Remote Desktop Protocol (RDP) activity that could indicate malicious or unauthorised access.

Categorization

This activity is categorised as Lateral Movement / Remote Desktop Protocol in the killchain and ATT&CK frameworks respectively.

Strategy Abstract

The strategy consists of:

• Collecting Windows authentication logs
• Checking remote logon type events for unauthorised user access

wesinator

rsync -a myfile /foo/bar/ # works if /foo exists but /foo/bar doesn't.  bar is created.

wesinator

Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; Created on: December 29th 2016
; Tutorial: https://www.tenforums.com/tutorials/73601-permanently-delete-add-context-menu-windows-10-a.html


[HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Windows.PermanentDelete]
"CommandStateSync"=""
"ExplorerCommandHandler"="{E9571AB2-AD92-4ec6-8924-4E5AD33790F5}"

wesinator

#!/bin/sh
sudo apt install docker.io
sudo apt install npm coffeescript libicu-dev ruby-dev ruby-bundler rake-compiler ruby-mocha ruby-plist pry ruby-yajl ruby-byebug 
sudo gem install -g Gemfile