daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

C2 Jarm - Detect

patch-1
pussycat0x 2023-07-14 12:48:42 +05:30
parent 94e368ccb9
commit ed01088d6d
14 changed files with 350 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
network/jarm/c2/cobalt-strike-c2-jarm.yaml Normal file
View File

@ -0,0 +1,27 @@
id: cobalt-strike-c2-jarm
info:
name: Cobalt Strike C2 JARM - Detect
author: pussycat0x
severity: info
description: |
Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network.
reference:
- https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/
metadata:
verified: true
shodan-query: ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1+port:443
tags: jarm,c2,ir,osint
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1'"

24
network/jarm/c2/covenant-c2-jarm.yaml Normal file
View File

@ -0,0 +1,24 @@
id: covenant-c2-jarm
info:
name: Covenant C2 JARM - Detect
author: pussycat0x
severity: info
description: |
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,and serve as a collaborative command and control platform for red teamers.
reference:
- https://github.com/cedowens/C2-JARM
- https://twitter.com/MichalKoczwara/status/1548685058403360770
tags: c2,ir,osint,covenant,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '21d14d00000000021c21d14d21d21d1ee8ae98bf3ef941e91529a93ac62b8b'"

24
network/jarm/c2/deimos-c2-jarm.yaml Normal file
View File

@ -0,0 +1,24 @@
id: deimos-c2-jarm
info:
name: Deimos C2 JARM - Detect
author: pussycat0x
severity: info
description: |
DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux.It is entirely written in Golang with a front end written in Vue.js.
reference:
- https://github.com/cedowens/C2-JARM
- https://twitter.com/MichalKoczwara/status/1551632627387473920
tags: c2,ir,osint,deimos,jarm,network
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64'"

24
network/jarm/c2/evilginx2-jarm.yaml Normal file
View File

@ -0,0 +1,24 @@
id: evilginx2-jarm
info:
name: EvilGinx2 JARM - Detect
author: pussycat0x
severity: info
description: |
Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies which in turn allows bypassing 2-factor authentication protection.
reference:
- https://github.com/cedowens/C2-JARM
- https://github.com/kgretzky/evilginx2
tags: evilginx2,c2,phishing,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '20d14d20d21d20d20c20d14d20d20daddf8a68a1444c74b6dbe09910a511e6'"

25
network/jarm/c2/grat2-c2-jarm.yaml Normal file
View File

@ -0,0 +1,25 @@
id: grat-c2-jarm
info:
name: Grat2 C2 JARM - Detect
author: pussycat0x
severity: info
description: |
GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.5. The main idea came from Georgios Koumettou who initiated the project.
reference:
- https://github.com/cedowens/C2-JARM
- https://github.com/r3nhat/GRAT2
tags: shad0w,c2,osint,ir,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"

26
network/jarm/c2/mac-c2-jarm.yaml Normal file
View File

@ -0,0 +1,26 @@
id: mac-c2-jarm
info:
name: MacC2 JARM - Detect
author: pussycat0x
severity: info
description: |
MacC2 is a macOS post exploitation tool written in python that uses Objective C calls or python libraries as opposed to command line executions. The client is written in python2, which though deprecated is still being shipped with base Big Sur installs. It is possible down the road that Apple will remove python2 (or python altogether) from base macOS installs but as of Nov 2020 this is not the case. Apple plans to eventually remove scripting runtimes from base macOS installs, but it is unknown when that will happen since Big Sur includes python.
reference:
- https://github.com/cedowens/C2-JARM
- https://github.com/cedowens/MacC2
tags: c2,ir,osint,macc2,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261'"
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"
condition: or

24
network/jarm/c2/macshell-c2-jarm.yaml Normal file
View File

@ -0,0 +1,24 @@
id: macshell-c2-jarm
info:
name: Macshell C2 JARM - Detect
author: pussycat0x
severity: info
description: |
MacShellSwift is a proof of concept MacOS post-exploitation tool written in Swift using encrypted sockets. This tool has been tested both pre and post-Catalina. I rewrote a prior tool of mine MacShell (one of my repos) and changed the client to Swift instead of python. This tool consists of two parts: a server script and a client binary. I wrote this tool to help blue teamers proactively guage detections against macOS post-exploitation methods that use macOS internal calls. Red teams can also find this of use for getting ideas around using Swift for macOS post-exploitation
reference:
- https://github.com/cedowens/C2-JARM
- https://github.com/cedowens/MacShellSwift
tags: c2,ir,osint,macshell,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46'"

24
network/jarm/c2/merlin-c2-jarm.yaml Normal file
View File

@ -0,0 +1,24 @@
id: merlin-c2-jarm
info:
name: Merlin C2 JARM - Detect
author: pussycat0x
severity: info
description: |
Merlin is a post-exploit Command & Control (C2) tool, also known as a Remote Access Tool (RAT), that communicates using the HTTP/1.1, HTTP/2, and HTTP/3 protocols. HTTP/3 is the combination of HTTP/2 over the Quick UDP Internet Connections (QUIC) protocol. This tool was the result of my work evaluating HTTP/2 in a paper titled Practical Approach to Detecting and Preventing Web Application Attacks over HTTP/2. Merlin is also my first attempts at learning Golang.
reference:
- https://github.com/cedowens/C2-JARM
- https://merlin-c2.readthedocs.io/en/latest/
tags: c2,ir,osint,merlin,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38'"

26
network/jarm/c2/metasploit-c2-jarm.yaml Normal file
View File

@ -0,0 +1,26 @@
id: metasploit-c2-jarm
info:
name: Metasploit C2 JARM - Detect
author: pussycat0x
severity: info
description: |
A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks.
reference:
- https://github.com/cedowens/C2-JARM
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
tags: c2,ir,osint,metasploit,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d'"
- "jarm(Hostname) == '07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823'"
condition: or

26
network/jarm/c2/mythic-c2-jarm.yaml Normal file
View File

@ -0,0 +1,26 @@
id: mythic-c2-jarm
info:
name: Mythic C2 JARM - Detect
author: pussycat0x
severity: info
description: |
A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI.
It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.
reference:
- https://github.com/cedowens/C2-JARM
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
tags: c2,ir,osint,mythic,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"

26
network/jarm/c2/posh-c2-jarm.yaml Normal file
View File

@ -0,0 +1,26 @@
id: posh-c2-jarm
info:
name: Posh C2 JARM - Detect
author: pussycat0x
severity: info
description: |
PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.
reference: |
- - https://github.com/cedowens/C2-JARM
- https://twitter.com/MichalKoczwara/status/1551639708949692416
- https://poshc2.readthedocs.io/en/latest/
tags: c2,ir,osint,posh,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261'"

25
network/jarm/c2/shad0w-c2-jarm.yaml Normal file
View File

@ -0,0 +1,25 @@
id: shad0w-c2-jarm
info:
name: Shad0w C2 JARM - Detect
author: pussycat0x
severity: info
description: |
SHAD0W is a modular C2 framework designed to successfully operate on mature environments.
reference:
- https://github.com/cedowens/C2-JARM
- https://github.com/bats3c/shad0w
tags: shad0w,c2,osint,ir,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"

25
network/jarm/c2/silenttrinity-c2-jarm.yaml Normal file
View File

@ -0,0 +1,25 @@
id: silenttrinity-c2-jarm
info:
name: SILENTTRINITY C2 JARM - Detect
author: pussycat0x
severity: info
description: |
SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It's the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API's, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim of this tool and the BYOI concept is to shift the paradigm back to PowerShell style like attacks (as it offers much more flexibility over traditional C# tradecraft) only without using PowerShell.
reference:
- https://github.com/cedowens/C2-JARM
- https://github.com/byt3bl33d3r/SILENTTRINITY
tags: silenttrinity,c2,osint,ir,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb'"

24
network/jarm/c2/sliver-c2-jarm.yaml Normal file
View File

@ -0,0 +1,24 @@
id: sliver-c2-jarm
info:
name: Sliver C2 JARM - Detect
author: pussycat0x
severity: info
description: |
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.
reference:
- https://github.com/cedowens/C2-JARM
- https://github.com/BishopFox/sliver
tags: c2,ir,osint,sliver,jarm
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
matchers:
- type: dsl
dsl:
- "jarm(Hostname) == '2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883'"