Skip to content

MHaggis/notes

Repository files navigation

Mining The Shadows with ZoidbergStrike: A Scanner for Cobalt Strike - SANS Threat Hunting Summit

Cobalt Strike Notes and Resources

Attack Data

Resources

System32 Baselining

 $system32 = Get-ChildItem -Path C:\windows\System32\ -Include '*.exe' -Recurse -ErrorAction SilentlyContinue |

 % {

             [PSCustomObject] @{
                 file_name = $_.name
                 file_path = $_.FullName
                 InternalName = $_.VersionInfo.InternalName
                 fileDescription = $_.VersionInfo.FileDescription
             }
 }

 $system32 | Export-Csv -Path ~\Desktop\data.csv

To see the objects, I just ran: $system32 | format-list

example output

...
file_name       : UsoClient.exe
file_path       : C:\windows\System32\UsoClient.exe
InternalName    : UsoClient
fileDescription : UsoClient
Product         :
...

UAC Elevate

The following are all auto-elevate binaries in System32 that could potentially be used to host a UAC bypass.

Get-ExecutableManifest is in the NtObjectManager PowerShell module.

Install-Module -Name NtObjectManager

The following PowerShell code was used to obtain these files:

ls C:\Windows\System32\*.exe | Get-ExecutableManifest | ? { $_.AutoElevate -and ($_.ExecutionLevel -eq 'requireAdministrator') }

If any of these require GUI interaction, then they are unlikely to be abused in the wild.

Additional references:

Git Search

from github import Github

ACCESS_TOKEN = 'TOKEN HERE'

g = Github(ACCESS_TOKEN)

def search_github(keyword):
    rate_limit = g.get_rate_limit()
    rate = rate_limit.search
    if rate.remaining == 0:
        print(f'You have 0/{rate.limit} API calls remaining. Reset time: {rate.reset}')
        return
    else:
        print(f'You have {rate.remaining}/{rate.limit} API calls remaining')

    query = f'"{keyword}" in:file'
    result = g.search_code(query, order='desc')

    max_size = 100
    print(f'Found {result.totalCount} file(s)')
    if result.totalCount > max_size:
        result = result[:max_size]

    for file in result:
        print(f'{file.download_url}')


if __name__ == '__main__':
    keyword = input('Enter keyword[spawnto_x86, spawnto_x64, pipename, dns_idle]: ')
    search_github(keyword)

I use PowerShell to download the the files:

gc results.txt | % {iwr $_ -outf $(split-path $_ -leaf)}

Simple grep

$csprofiles=~\Desktop\profiles\*.profile
 Get-ChildItem -Path $csprofiles -Recurse | Select-String -Pattern 'set uri' -CaseSensitive | sort |  Get-Unique

About

Full of public notes and Utilities

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published