├── ADS-detect.ps1 ├── BMC-NVRAM-shell-detection.yara ├── DeepPurple.ps1 ├── README.md ├── RedLine Malware_GCP_Sigma.txt ├── RedLine_Malware_GCP.txt ├── RedLine_Malware_GCP_Yara.txt ├── aa20-352a-detection.ps1 ├── fake_cert.yara └── ruler_attack.yara /ADS-detect.ps1: -------------------------------------------------------------------------------- 1 | # Malware using PowerShell and ADS https://www.redcanary.com/blog/using-alternate-data-streams-bypass-user-account-controls/ 2 | # PowerShell script to find ADS - orginal code from https://obligatorymoniker.wordpress.com/2013/02/11/find-all-files-with-alternate-data-streams/ 3 | # to test create a txt files with an ADS > echo "ADS" > test.txt:hidden.txt 4 | 5 | gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data' | where stream -ne 'Zone.Identifier' 6 | 7 | 8 | -------------------------------------------------------------------------------- /BMC-NVRAM-shell-detection.yara: -------------------------------------------------------------------------------- 1 | /* 2 | Baseboard Management Controller- NVRAM rule 3 | This rulset is based on 35C3 - Modchips of the State by Trammell Hudson https://www.youtube.com/watch?time_continue=1&v=C7H3V7tkxeA 4 | John Franolich 5 | revision: 20181228 6 | Also see https://www.codeproject.com/Articles/38226/NvramRestorer-dumping-and-restoring-BIOS-settings 7 | License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) 8 | Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/ 9 | */ 10 | 11 | { 12 | rule NVRAM_shell 13 | meta: 14 | description = "Baseboard Management Controller- NVRAM rule - Generic Rule - possible script found in BMC zip file" 15 | author = "John Franolich" 16 | reference = "Trammell Hudson https://www.youtube.com/watch?time_continue=1&v=C7H3V7tkxeA" 17 | date = "2018/12/28" 18 | score = 60 19 | strings: 20 | $s0 = .*\.sh$ ascii 21 | 22 | condition: 23 | $s0 24 | 25 | } 26 | 27 | -------------------------------------------------------------------------------- /DeepPurple.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | DeepPurple.ps1 3 | -------------- 4 | ** Credit to Eric Conrad for DeepBlue ** 5 | hxxps://github.com/sans-blue-team/DeepBlueCLI 6 | 7 | John "Fran the Man" Franolich 8 | and his humble sidekick 9 | 10 | Notes: 11 | 1. To collect atifacts download and run hxxps://github.com/SekoiaLab/Fastir_Collector/releases 12 | 13 | 2. Keep this in the same directory as: 14 | DeepBlue.ps1 15 | whitelist.txt 16 | regex.txt 17 | 18 | #> 19 | 20 | 21 | 22 | param ([string]$file=$env:file,[string]$log=$env:log) 23 | 24 | function ProcessEventsDirDeepDive([string]$file) 25 | { 26 | 27 | # Deepblue on the top-level path 28 | $dirpath = $file + "\*" 29 | .\DeepBlue $dirpath 30 | 31 | 32 | foreach ($item in Get-ChildItem $file) 33 | { 34 | if ($exclude | Where {$item -like $_}) { continue } 35 | 36 | if (Test-Path $item.FullName -PathType Container) 37 | { 38 | ProcessEventsDirDeepDive($item.FullName) 39 | } 40 | } 41 | 42 | 43 | } 44 | 45 | 46 | function Main 47 | { 48 | ProcessEventsDirDeepDive($file) 49 | } 50 | 51 | . Main 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hunting-Scripts 2 | A collection of hunting, blue team scripts and tools ; mostly others. 3 | 4 | PowerShell-- 5 | 6 | SAML/Solarwinds: 7 | 1.https://github.com/cyberark/shimit 8 | 2.https://github.com/CrowdStrike/CRT 9 | 3.https://github.com/cisagov/Sparrow 10 | 11 | fake sandbox https://github.com/Phoenix1747/fake-sandbox 12 | 13 | VM hide (from malware) https://github.com/d4rksystem/VBoxCloak 14 | 15 | DevSec to detect PS TickUsage & Obfuscation, https://github.com/danielbohannon/DevSec-Defense https://www.x33fcon.com/archive/2018/slides/x33fcon18_DevSecDefense_DanielBohannon.pdf https://www.youtube.com/watch?v=QJe8xikf-iE 16 | 17 | Process Spawn Control suspends newly launched processes https://github.com/felixweyne/ProcessSpawnControl 18 | 19 | Find injected processes https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 20 | 21 | Find Forms https://gist.github.com/staaldraad/0604788fbe974cd53ed59cc1e3185cce 22 | 23 | Detect rule attacks in windows events https://gist.github.com/staaldraad/a7de22afa69ec10f1ec7d995d2bd913c 24 | 25 | Timeline from memeory https://www.pigstye.net/forensics/volatility.html 26 | 27 | Invoke-Adversary to test defenses https://github.com/MotiBa/Invoke-Adversary/tree/master 28 | 29 | Baseline gold PEs https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e 30 | 31 | Remove macros https://chentiangemalc.wordpress.com/2012/01/17/powershell-script-to-remove-office-macro-protection/ 32 | 33 | PS to pcap https://www.nospaceships.com/2018/09/19/packet-capture-on-windows-without-drivers.html 34 | 35 | Find Kerberos Golden Tickets https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285 & https://github.com/spohara79/TGT---Golden-Silver-Ticket 36 | 37 | Skeleton Key scanner https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73 38 | 39 | Detect ruler attacks in Exchange and DC logs https://sensepost.com/blog/2017/notruler-turning-offence-into-defence/ 40 | 41 | Detect DCShadow attacks https://github.com/AlsidOfficial/UncoverDCShadow 42 | 43 | A PowerShell script to interact with the MITRE ATT&CK Framework via its own API https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI 44 | 45 | Mitigate internal recon by altering Net Session Enumeration https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b 46 | 47 | Hunting webshells on Microsoft Exchange Servers https://github.com/FixTheExchange/Invoke-ExchangeWebShellHunter 48 | 49 | Power Forensics https://github.com/Invoke-IR/PowerForensics 50 | 51 | Mem pull https://github.com/n3l5/irMempull 52 | 53 | PS IR https://github.com/mgreen27/Powershell-IR https://www.linkedin.com/pulse/invoke-liveresponse-matthew-green 54 | 55 | DeepBlue CLI https://github.com/sans-blue-team/DeepBlueCLI 56 | 57 | Jason Fossen's https://github.com/EnclaveConsulting/SANS-SEC505 58 | 59 | PS script to detects memory-only CLR (.NET) modules https://gist.github.com/dezhub/2875fa6dc78083cedeab10abc551cb58 60 | 61 | Flare http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1 https://github.com/fireeye/flare-vm 62 | 63 | RVMI Rekall https://github.com/fireeye/rvmi-rekall 64 | 65 | List Kerberos Tickets https://gallery.technet.microsoft.com/scriptcenter/List-All-Cached-Kerberos-5ba41829 66 | 67 | List local admins https://gallery.technet.microsoft.com/scriptcenter/ed4a0cb7-603c-488d-afeb-194b7a60f42f 68 | 69 | Get AD Trust Topology https://gallery.technet.microsoft.com/scriptcenter/ADFS-Security-Audit-Events-81c207cf & https://github.com/WiredPulse/PowerShell/blob/master/Active_Directory/Get-DomainTrusts.ps1 70 | 71 | ADFS Security Audit Events Parser https://gallery.technet.microsoft.com/scriptcenter/ADFS-Security-Audit-Events-81c207cf 72 | 73 | Self Signign Certs https://gallery.technet.microsoft.com/scriptcenter/Get-AD-Trust-Topology-f8f2d1d7 & http://cyberfibers.com/2017/11/hunting-self-signed-certificates/ 74 | 75 | Encrypt/Decrypt files using AES encryption https://gallery.technet.microsoft.com/scriptcenter/EncryptDecrypt-files-use-65e7ae5d 76 | 77 | Get the status of A/V local or remote https://gallery.technet.microsoft.com/scriptcenter/Get-the-status-of-4b748f25 78 | 79 | List SPNs https://gallery.technet.microsoft.com/List-all-SPNs-Used-in-your-e0c6267a 80 | 81 | Invoke web request detection https://gist.github.com/Centurion89/33b9517b75d238b59fd85fd060514279 82 | 83 | Another PS list https://www.peerlyst.com/posts/resource-infosec-powershell-tools-resources-and-authors 84 | 85 | Managing PowerShell in a modern corporate environment https://www.nccgroup.trust/uk/our-research/managing-powershell-in-a-modern-corporate-environment/ 86 | 87 | Detect PS obfuscation https://github.com/jaapbrasser/Events/blob/master/2017-09-01_BSidesAms2017/Demo/Demo2.ps1 vid https://www.youtube.com/watch?v=WOC8vC2KoNs&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB&index=12 88 | 89 | PoSH IR and PS https://github.com/WiredPulse/PoSh-R2 90 | 91 | PS hash compare, find bad CCleaner example, net conns http://cyberfibers.com/category/powershell/ 92 | 93 | EternalBlue vul scan https://gallery.technet.microsoft.com/scriptcenter/EternalBlue-Vulnerability-bf3ad11d 94 | 95 | Generate Applocker rule based on hash https://gallery.technet.microsoft.com/scriptcenter/Generate-AppLocker-baaa9278 96 | 97 | Check Autoruns at bootup https://gallery.technet.microsoft.com/scriptcenter/Malware-detection-and-995f01eb 98 | 99 | CERT diff https://isc.sans.edu/forums/diary/Keep+An+Eye+on+your+Root+Certificates/23030/ 100 | 101 | fake sandbox https://github.com/Phoenix1747/fake-sandbox 102 | 103 | Various PS https://github.com/WiredPulse/PowerShell 104 | 105 | Hunt PS scripts https://github.com/DLACERT/ThreatHunting 106 | 107 | Detect PTH https://github.com/cyberark/ketshash 108 | 109 | Detect shadow admins https://github.com/cyberark/ACLight 110 | 111 | Find Exchange Mailboxes with Forwarding Addresses Enabled http://www.syspanda.com/index.php/2018/01/10/exchange-find-mailboxes-forwarding-addresses-enabled/ 112 | 113 | Get USB history https://gallery.technet.microsoft.com/scriptcenter/Get-USBHistory-707e43a3 114 | 115 | ms17-010-Scanner https://github.com/vletoux/ms17-010-Scanner 116 | 117 | Find local priv escalation https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1 118 | 119 | Threat Hunting Reconnaissance Toolkit THRecon https://github.com/TonyPhipps/THRecon 120 | 121 | PoweSehll Defense https://github.com/Ben0xA/PowerShellDefense 122 | 123 | Extracts Windows Defender Exploit Guard Events from the 'Microsoft-Windows-Windows Defender/Operational event log https://demo.wd.microsoft.com/Content/getEGEvents.zip 124 | 125 | Audit script https://github.com/A-mIn3/WINspect 126 | 127 | User Simulator https://github.com/ubeeri/Invoke-UserSimulator 128 | 129 | Audit AD https://github.com/phillips321/adaudit 130 | 131 | Evil Maid detection https://pastebin.com/hAEHibHf 132 | 133 | SQli detection https://github.com/NetSPI/PowerUpSQL 134 | 135 | Check the carved memory file for presence of Meterpreter C2 https://github.com/countercept/memory-carving-scripts/blob/master/Get-MeterpreterC2.ps1 136 | 137 | Dump memory http://www.exploit-monday.com/2012/03/powershell-live-memory-analysis-tools.html#Dump-Memory 138 | 139 | Find vul GPOs https://github.com/gpoguy/GetVulnerableGPO 140 | 141 | OAuth Hunting (Azure) https://github.com/dmb2168/OAuthHunting 142 | 143 | Test phish defenses by w/macros https://github.com/curi0usJack/luckystrike 144 | 145 | Discover Unquoted Service Paths that can be abused to escalate privs https://gist.github.com/Evilcry/ba70b8fa746ef7ae352d14bcaaf6bfbb 146 | 147 | Yara-- 148 | 149 | Outlook ruler detetion https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html 150 | 151 | Signaturing an Authenticode anomaly with Yara https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/signaturing-an-authenticode-anomaly-with-yara/ 152 | 153 | Loki https://github.com/Neo23x0/Loki 154 | 155 | Entropy of PE files https://cyberdefenses.com/yara-entropy-bit-math/ 156 | 157 | Rule for CCleaner https://blog.nviso.be/2017/09/21/yara-rules-for-ccleaner-5-33/ 158 | 159 | Detect MimiK golden ticket https://blog.didierstevens.com/2016/08/12/mimikatz-golden-ticket-dcsync/ 160 | 161 | HEX to assembly https://haiderm.com/convert-hex-assembly-using-simple-python-script/ 162 | 163 | Bin/API analysis including FN2Yara https://github.com/cmu-sei/pharos 164 | 165 | Find fake certs https://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/ 166 | 167 | 168 | Python-- 169 | 170 | find malicous .net malware compile https://gist.github.com/countercept/7765ba05ad00255bcf6a4a26d7647f6e 171 | 172 | find doublepulsar https://github.com/countercept/doublepulsar-detection-script 173 | 174 | Script to check for security bugs in smart contracts https://github.com/ConsenSys/mythril/blob/master/security_checks.md 175 | 176 | Ransoeare simulator https://gitlab.com/networkintelligence/inr/ransom_sim/tree/master 177 | 178 | Script for malware analysis https://github.com/beenuar/Py-DarkC0de/blob/master/analyse_malware.py 179 | 180 | Make your own Volatility plug-in https://github.com/iAbadia/Volatility-Plugin-Tutorial 181 | 182 | Kill Chain Fuzzer https://github.com/SafeBreach-Labs/blog-snippets/blob/master/killchainfuzzer.py 183 | 184 | FastIR https://github.com/SekoiaLab/Fastir_Collector 185 | 186 | Mystique - enterprise malicoius mutex detection https://github.com/MinervaLabsResearch/Mystique 187 | 188 | SSDeep Elastic https://github.com/intezer/ssdeep-elastic 189 | 190 | Memory Patch detector https://github.com/intezer/MemoryPatchDetector 191 | 192 | Script to compare your similar Linux cloud application servers with each other to discover possible indications of compromise. https://github.com/morphuslabs/distinct 193 | 194 | Phishing catcher using Certstream (https://certstream.calidog.io/) https://github.com/x0rz/phishing_catcher 195 | 196 | Leak File Analyzer https://github.com/Neo23x0/radiocarbon 197 | 198 | Find miners https://github.com/wrinkl3/MineSweepR 199 | 200 | Inspect PDFs https://github.com/jesparza/peepdf 201 | 202 | User simulation https://github.com/cmu-sei/usersim 203 | 204 | Find Peddelcheap in pcaps https://github.com/johnbergbom/PeddleCheap/blob/master/dp_decrypt.py (with samples) 205 | 206 | Find danderspritz https://github.com/fox-it/danderspritz-evtx 207 | 208 | Python exe unpacker https://github.com/countercept/python-exe-unpacker 209 | 210 | RDP Bitmap Cache parser https://github.com/ANSSI-FR/bmc-tools 211 | 212 | Mac OS IR Tool https://github.com/daguy666/Transit 213 | 214 | Tool for automatic list generation of known TOR and VPN exit nodes https://github.com/uforia/exitgather 215 | 216 | parsing tool to discover potential SQL injection points https://github.com/RhinoSecurityLabs/SleuthQL 217 | 218 | Go 219 | 220 | find websells (can use regular expressions) https://github.com/tstillz/webshell-scan 221 | 222 | Misc-- 223 | 224 | Open source tools Netflix Security Team https://medium.com/netflix-techblog/a-brief-history-of-open-source-from-the-netflix-cloud-security-team-412b5d4f1e0c 225 | 226 | APT Simulator https://github.com/Neo23x0/APTSimulator 227 | 228 | Inection Monkey - APT Simulator https://github.com/guardicore/monkey 229 | 230 | CALDERA automated adversary emulation system https://github.com/mitre/caldera 231 | 232 | APT3 Emulator https://attack.mitre.org/wiki/Adversary_Emulation_Plans 233 | 234 | PS to exe https://github.com/interference-security/PS2EXE 235 | 236 | YARA signature to check for DEP and ASLR https://summitroute.com/blog/2017/07/24/yara_sigs_for_security_best_practices/ 237 | 238 | CyLR CDQR Forensics Virtual Machine (CCF-VM) https://github.com/rough007/CCF-VM (a-z - endpoint IR collection to dbase backend) 239 | 240 | Threat Hunting Playbook https://github.com/Kathayra/ThreatHunter-Playbook TH tracking https://github.com/Kathayra/HT-Trackr 241 | 242 | Android Vul tester https://github.com/AndroidVTS/android-vts 243 | 244 | Sysmon config https://github.com/SwiftOnSecurity/sysmon-config 245 | 246 | GRR write up https://chip-dfir.techanarchy.net/?p=395 247 | 248 | Detect dll hijacking https://github.com/adamkramer/dll_hijack_detect 249 | 250 | Detection mapped to Mitre Matrix https://github.com/redcanaryco/atomic-red-team 251 | 252 | .NET runtine inspector https://github.com/enkomio/shed 253 | 254 | harden windows https://github.com/securitywithoutborders/hardentools/releases/tag/v1.0 255 | 256 | Deception -- It is all about the buzz 257 | 258 | Emulate VM enviroments https://github.com/adamkramer/rapid_env 259 | 260 | test a sandox - PoC malware with good intentions https://github.com/LordNoteworthy/al-khaser 261 | 262 | 263 | Pafish - Testing tool to emulate an infection https://github.com/a0rtega/pafish 264 | 265 | https://canarytokens.org/generate 266 | 267 | todo: FTK scripting https://accessdata.com/product-download/windows-32bit-3.1.1/ 268 | 269 | Hook Finder https://github.com/hasherezade/hook_finder 270 | 271 | Lateral Movement script https://securelist.com/happy-ir-in-the-new-year/83557/ 272 | 273 | find dll injects http://cyberfibers.com/2017/11/525/ 274 | 275 | event subscription https://github.com/palantir/windows-event-forwarding 276 | 277 | Binary commandline executable to parse ETL files https://github.com/gcpartners/ETLParser 278 | 279 | 280 | other lists -- 281 | 282 | https://github.com/rshipp/awesome-malware-analysis 283 | 284 | https://github.com/0x4D31/awesome-threat-detection 285 | 286 | 287 | -------------------------------------------------------------------------------- /RedLine Malware_GCP_Sigma.txt: -------------------------------------------------------------------------------- 1 | title: RedLine Malware using GCP 2 | Date: 3 | author: John Franolich & Open AI 4 | description: Detects RedLine Malware used in conjuction with Google Cloud Platform. The path & file locations of the local GCP client secrets, access token, SQLite db, bearer token detials are from SANS SEC488 Author Ryan Nicholson's class. 5 | 6 | Open AI comments are: Note that this rule will only work if the path to the Login Data files is hardcoded into the rule. If the path to the files is variable (e.g., if the username of the user is different on each system), you will need to use a more complex rule to locate the files. Let me know if you have any questions about this! 7 | 8 | reference: 9 | - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jan2023.pdf 10 | - https://asec.ahnlab.com/en/29885/ 11 | 12 | date: '2023-01-08' 13 | 14 | tags: 15 | - attack.execution 16 | - attack.t1101 17 | - attack.t1083 18 | - attack.c2 19 | - attack.initial_access 20 | - attack.persistence 21 | - attack.privilege_escalation 22 | - malware.redline 23 | logsource: 24 | product: unknown 25 | service: unknown 26 | definition: Search for RedLine malware used in conjuction with Google Cloud Platform. 27 | detection: 28 | condition: all of them 29 | filesize < 50MB and 30 | ( 31 | filepath contains "Chrome" and filepath contains "User Data" and filepath contains "Default" 32 | or 33 | filepath contains "MicrosoftEdge" and filepath contains "User" and filepath contains "Default" 34 | or 35 | filepath contains "Opera Software" and filepath contains "Opera Stable" 36 | or 37 | filepath contains "Naver" and filepath contains "Naver Whale" and filepath contains "User Data" and filepath contains "Default" 38 | or 39 | filepath contains "gcloud" and filepath contains "configuration" and filepath contains "config_default" 40 | or 41 | filepath contains "gcloud" and filepath contains "credentials.db" 42 | or 43 | filepath contains "gcloud" and filepath contains "access_tokens.db" 44 | ) and 45 | strings: 46 | - "Login Data" 47 | or 48 | process_name: '*' 49 | and 50 | network_tcp_src_port: 15647 51 | or 52 | process_name: '*' 53 | and 54 | network_tcp_dst_port: 15647 55 | level: medium 56 | -------------------------------------------------------------------------------- /RedLine_Malware_GCP.txt: -------------------------------------------------------------------------------- 1 | rule RedLine_Malware_used_with_GCP_Yara_Rule { 2 | author: "John Franolich & Chat Open AI" 3 | 4 | comment: "Sources & credits: Google Threat Horizons Report https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jan2023.pdf; https://asec.ahnlab.com/en/29885/ The path & file locations of the local GCP client secrets, access token, SQLite db, bearer token are from SANS SEC488 Author Ryan Nicholson's class. 5 | 6 | Open AI comments are: Note that this rule will only work if the path to the Login Data files is hardcoded into the rule. If the path to the files is variable (e.g., if the username of the user is different on each system), you will need to use a more complex rule to locate the files. Let me know if you have any questions about this!" 7 | 8 | strings: 9 | $login_data = "Login Data" ascii 10 | condition: 11 | all of them 12 | filesize < 50MB and 13 | ( 14 | filepath contains "Chrome" and filepath contains "User Data" and filepath contains "Default" 15 | or 16 | filepath contains "MicrosoftEdge" and filepath contains "User" and filepath contains "Default" 17 | or 18 | filepath contains "Opera Software" and filepath contains "Opera Stable" 19 | or 20 | filepath contains "Naver" and filepath contains "Naver Whale" and filepath contains "User Data" and filepath contains "Default" 21 | or 22 | filepath contains "gcloud" and filepath contains "configuration" and filepath contains "config_default" 23 | or 24 | filepath contains "gcloud" and filepath contains "credentials.db" 25 | or 26 | filepath contains "gcloud" and filepath contains "access_tokens.db" 27 | ) and 28 | $login_data or 29 | tcp.srcport == 15647 or 30 | tcp.dstport == 15647 31 | 32 | } 33 | -------------------------------------------------------------------------------- /RedLine_Malware_GCP_Yara.txt: -------------------------------------------------------------------------------- 1 | rule RedLine_Malware_used_with_GCP { 2 | author: "John Franolich & Chat Open AI" 3 | 4 | comment: "Sources & credits: Google Threat Horizons Report https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jan2023.pdf; https://asec.ahnlab.com/en/29885/ The path & file locations of the local GCP client secrets, access token, SQLite db, bearer token are from SANS SEC488 Author Ryan Nicholson's class. 5 | 6 | Open AI comments are: Note that this rule will only work if the path to the Login Data files is hardcoded into the rule. If the path to the files is variable (e.g., if the username of the user is different on each system), you will need to use a more complex rule to locate the files. Let me know if you have any questions about this!" 7 | 8 | strings: 9 | $login_data = "Login Data" ascii 10 | condition: 11 | all of them 12 | filesize < 50MB and 13 | ( 14 | filepath contains "Chrome" and filepath contains "User Data" and filepath contains "Default" 15 | or 16 | filepath contains "MicrosoftEdge" and filepath contains "User" and filepath contains "Default" 17 | or 18 | filepath contains "Opera Software" and filepath contains "Opera Stable" 19 | or 20 | filepath contains "Naver" and filepath contains "Naver Whale" and filepath contains "User Data" and filepath contains "Default" 21 | or 22 | filepath contains "gcloud" and filepath contains "configuration" and filepath contains "config_default" 23 | or 24 | filepath contains "gcloud" and filepath contains "credentials.db" 25 | or 26 | filepath contains "gcloud" and filepath contains "access_tokens.db" 27 | ) and 28 | $login_data or 29 | tcp.srcport == 15647 or 30 | tcp.dstport == 15647 31 | 32 | } 33 | -------------------------------------------------------------------------------- /aa20-352a-detection.ps1: -------------------------------------------------------------------------------- 1 | #Audit expiring soon Azure AD application credentials (keys/certificates) https://gallery.technet.microsoft.com/scriptcenter/Audit-expiring-soon-Azure-60dbbbcf 2 | #Alert (AA20-352A) https://us-cert.cisa.gov/ncas/alerts/aa20-352a 3 | #Author tweaks John Franolich and Jamie Gambetta 4 | #run from AZ CLI 5 | 6 | Write-Host 'Gathering necessary information...' 7 | $applications = Get-AzADApplication 8 | $servicePrincipals = Get-AzADServicePrincipal 9 | 10 | $appWithCredentials = @() 11 | $appWithCredentials += $applications | Sort-Object -Property DisplayName | % { 12 | $application = $_ 13 | $sp = $servicePrincipals | ? ApplicationId -eq $application.ApplicationId 14 | Write-Verbose ('Fetching information for application {0}' -f $application.DisplayName) 15 | $application | Get-AzADAppCredential -ErrorAction SilentlyContinue | Select-Object -Property @{Name='DisplayName'; Expression={$application.DisplayName}}, @{Name='ObjectId'; Expression={$application.Id}}, @{Name='ApplicationId'; Expression={$application.ApplicationId}}, @{Name='KeyId'; Expression={$_.KeyId}}, @{Name='Type'; Expression={$_.Type}},@{Name='StartDate'; Expression={$_.StartDate -as [datetime]}},@{Name='EndDate'; Expression={$_.EndDate -as [datetime]}} 16 | } 17 | 18 | Write-Host 'Validating expiration data...' 19 | $today = (Get-Date).ToUniversalTime() 20 | $appWithCredentials | Sort-Object EndDate | % { 21 | if($_.EndDate -lt $today) { 22 | $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Expired' 23 | } else { 24 | $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Valid' 25 | } 26 | $Duration=NEW-TIMESPAN –Start $_.StartDate –End $_.EndDate 27 | $_ | Add-Member -MemberType NoteProperty -Name 'DurationInDays' -Value $Duration.TotalDays 28 | } 29 | 30 | $appWithCredentials 31 | Write-Host 'Done.' 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /fake_cert.yara: -------------------------------------------------------------------------------- 1 | /* 2 | Yara Rule Set 3 | Author: Published by Didier Stevens 4 | Date: 2018-07-31 5 | Sync Date: 6 | Identifier: Fake Cert 7 | Reference: https://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/ 8 | 9 | Note: 10 | Certificate files can be used by adversaries as a container for all kinds of payloads to avoid detection of the payload by anti-virus, IDS, … . The payload will not activate when the certificate file is opened on a Windows systems; It has to be extracted by the actor or malware 11 | Conclusion: every X.509 certificate encoded according to RFC 7468 starts with “—–BEGIN CERTIFICATE—–” followed by letter M. 12 | 13 | Inference: every certificate file containing “—–BEGIN CERTIFICATE—–” not followed by letter M can not be a valid X.509 certificate. 14 | */ 15 | 16 | 17 | 18 | rule certificate_payload 19 | { 20 | strings: 21 | $re1 = /-----BEGIN CERTIFICATE-----\r\n[^M]/ 22 | 23 | condition: 24 | $re1 at 0 25 | } 26 | -------------------------------------------------------------------------------- /ruler_attack.yara: -------------------------------------------------------------------------------- 1 | rule Check_ruler_attack 2 | 3 | { 4 | 5 | meta: 6 | 7 | Author = "Franolich" 8 | 9 | Description = "Checks for ruler attack typically requires the use of WebDav for payload delivery. WebDav writes to disk, and this location should be monitored https://sensepost.com/blog/2017/notruler-turning-offence-into-defence/" 10 | 11 | 12 | 13 | strings: 14 | 15 | $key = "%systemdrive%\windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore" 16 | 17 | 18 | condition: 19 | 20 | all of them 21 | 22 | } --------------------------------------------------------------------------------