C2 Jarm - Detect
parent
2dadd3f35b
commit
197d816040
|
@ -0,0 +1,27 @@
|
|||
id: cobalt-strike-c2-jarm
|
||||
|
||||
info:
|
||||
name: Cobalt Strike C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network.
|
||||
reference:
|
||||
- https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1+port:443
|
||||
tags: jarm,c2,ir,osint
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1'"
|
|
@ -0,0 +1,24 @@
|
|||
id: covenant-c2-jarm
|
||||
|
||||
info:
|
||||
name: Covenant C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,and serve as a collaborative command and control platform for red teamers.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://twitter.com/MichalKoczwara/status/1548685058403360770
|
||||
tags: c2,ir,osint,covenant,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '21d14d00000000021c21d14d21d21d1ee8ae98bf3ef941e91529a93ac62b8b'"
|
|
@ -0,0 +1,24 @@
|
|||
id: deimos-c2-jarm
|
||||
|
||||
info:
|
||||
name: Deimos C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux.It is entirely written in Golang with a front end written in Vue.js.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://twitter.com/MichalKoczwara/status/1551632627387473920
|
||||
tags: c2,ir,osint,deimos,jarm,network
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64'"
|
|
@ -0,0 +1,24 @@
|
|||
id: evilginx2-jarm
|
||||
|
||||
info:
|
||||
name: EvilGinx2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies which in turn allows bypassing 2-factor authentication protection.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/kgretzky/evilginx2
|
||||
tags: evilginx2,c2,phishing,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6'"
|
|
@ -0,0 +1,25 @@
|
|||
id: grat-c2-jarm
|
||||
|
||||
info:
|
||||
name: Grat2 C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.5. The main idea came from Georgios Koumettou who initiated the project.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/r3nhat/GRAT2
|
||||
tags: shad0w,c2,osint,ir,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"
|
|
@ -0,0 +1,26 @@
|
|||
id: mac-c2-jarm
|
||||
|
||||
info:
|
||||
name: MacC2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
MacC2 is a macOS post exploitation tool written in python that uses Objective C calls or python libraries as opposed to command line executions. The client is written in python2, which though deprecated is still being shipped with base Big Sur installs. It is possible down the road that Apple will remove python2 (or python altogether) from base macOS installs but as of Nov 2020 this is not the case. Apple plans to eventually remove scripting runtimes from base macOS installs, but it is unknown when that will happen since Big Sur includes python.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/cedowens/MacC2
|
||||
tags: c2,ir,osint,macc2,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261'"
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"
|
||||
condition: or
|
|
@ -0,0 +1,24 @@
|
|||
id: macshell-c2-jarm
|
||||
|
||||
info:
|
||||
name: Macshell C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
MacShellSwift is a proof of concept MacOS post-exploitation tool written in Swift using encrypted sockets. This tool has been tested both pre and post-Catalina. I rewrote a prior tool of mine MacShell (one of my repos) and changed the client to Swift instead of python. This tool consists of two parts: a server script and a client binary. I wrote this tool to help blue teamers proactively guage detections against macOS post-exploitation methods that use macOS internal calls. Red teams can also find this of use for getting ideas around using Swift for macOS post-exploitation
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/cedowens/MacShellSwift
|
||||
tags: c2,ir,osint,macshell,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46'"
|
|
@ -0,0 +1,24 @@
|
|||
id: merlin-c2-jarm
|
||||
|
||||
info:
|
||||
name: Merlin C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Merlin is a post-exploit Command & Control (C2) tool, also known as a Remote Access Tool (RAT), that communicates using the HTTP/1.1, HTTP/2, and HTTP/3 protocols. HTTP/3 is the combination of HTTP/2 over the Quick UDP Internet Connections (QUIC) protocol. This tool was the result of my work evaluating HTTP/2 in a paper titled Practical Approach to Detecting and Preventing Web Application Attacks over HTTP/2. Merlin is also my first attempts at learning Golang.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://merlin-c2.readthedocs.io/en/latest/
|
||||
tags: c2,ir,osint,merlin,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38'"
|
|
@ -0,0 +1,26 @@
|
|||
id: metasploit-c2-jarm
|
||||
|
||||
info:
|
||||
name: Metasploit C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
tags: c2,ir,osint,metasploit,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d'"
|
||||
- "jarm(Hostname) == '07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823'"
|
||||
condition: or
|
|
@ -0,0 +1,26 @@
|
|||
id: mythic-c2-jarm
|
||||
|
||||
info:
|
||||
name: Mythic C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI.
|
||||
It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||
tags: c2,ir,osint,mythic,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"
|
|
@ -0,0 +1,26 @@
|
|||
id: posh-c2-jarm
|
||||
|
||||
info:
|
||||
name: Posh C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.
|
||||
reference: |
|
||||
- - https://github.com/cedowens/C2-JARM
|
||||
- https://twitter.com/MichalKoczwara/status/1551639708949692416
|
||||
- https://poshc2.readthedocs.io/en/latest/
|
||||
tags: c2,ir,osint,posh,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261'"
|
|
@ -0,0 +1,25 @@
|
|||
id: shad0w-c2-jarm
|
||||
|
||||
info:
|
||||
name: Shad0w C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
SHAD0W is a modular C2 framework designed to successfully operate on mature environments.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/bats3c/shad0w
|
||||
tags: shad0w,c2,osint,ir,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"
|
|
@ -0,0 +1,25 @@
|
|||
id: silenttrinity-c2-jarm
|
||||
|
||||
info:
|
||||
name: SILENTTRINITY C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It's the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API's, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim of this tool and the BYOI concept is to shift the paradigm back to PowerShell style like attacks (as it offers much more flexibility over traditional C# tradecraft) only without using PowerShell.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/byt3bl33d3r/SILENTTRINITY
|
||||
tags: silenttrinity,c2,osint,ir,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"
|
|
@ -0,0 +1,24 @@
|
|||
id: sliver-c2-jarm
|
||||
|
||||
info:
|
||||
name: Sliver C2 JARM - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.
|
||||
reference:
|
||||
- https://github.com/cedowens/C2-JARM
|
||||
- https://github.com/BishopFox/sliver
|
||||
tags: c2,ir,osint,sliver,jarm
|
||||
|
||||
tcp:
|
||||
- inputs:
|
||||
- data: 2E
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "jarm(Hostname) == '2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883'"
|
Loading…
Reference in New Issue