Cheatsheets

This cheatsheet hopes to serve as a practical, copy-paste field reference for Titanis, which is a library made by TrustedSec and is cross-platform C# / .NET 8 protocol library and toolset for Windows / Active Directory. Why Titanis? Titanis is stealthier than Impacket in many ways. Enough that it requires its own deep dive and research. I will be releasing a blog post that dives into the exact comparisons between both tools but for now, just know that. ...

Repository Used: https://github.com/PedroTortoriello/Shai-Hulud-Open-Source Last known commit: da10861 — "Shai-Hulud: A Gift From TeamPCP" The analysis of the repository shared by TeamPCP was mainly done statically as well as some other elements from here confirmed dynamically using a VM hosted on a VPS I own. Goes without saying but don’t try doing this yourself unless you know what you are doing Network IoCs C2 and Exfiltration Endpoints Indicator Type Notes/Context https://git-tanstack.com:443/router C2 domain Primary exfiltration endpoint. Healthcheck expects HTTP 400 or 404. https://api.github.com/user/repos GitHub API Used to create public exfil repositories https://api.github.com/user GitHub API Polled by deadman monitor every 60s https://api.github.com/user/orgs GitHub API Org scope check during token validation https://api.github.com/graphql GitHub API Branch mutation via createCommitOnBranch https://api.github.com/search/commits?q=IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner GitHub API Token broker commit search https://api.github.com/search/commits?q=thebeautifulmarchoftime%20 GitHub API Signed fallback C2 domain discovery npm Registry Endpoints Indicator Type Notes/Context https://registry.npmjs.org/-/npm/v1/tokens npm API Token inventory and validation https://registry.npmjs.org/-/whoami npm API Token identity check https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/ npm API OIDC trusted publishing attack path Malware Loader Download Indicator Type Notes/Context https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/ Download Bun runtime fetched by all loader variants(bash and python loaders) Cloud Metadata Endpoints Indicator Type Notes http://169.254.169.254/latest/ AWS IMDS EC2 IMDSv2 credential harvesting http://169.254.170.2 AWS ECS ECS container credential endpoint http://127.0.0.1:8200 HashiCorp Vault Default Vault address (overridden by VAULT_ADDR) Note about the hashicorp vault, while thats the default/hardcoded one; you’ll have to refer to your own if its been configured with the environment variable ...