Mr Forest 0xForest
0xForest
/ tunnel-vision.ps1
Created
January 13, 2026 21:35
A tool to diagnose the DNS tunnel used by Canaries.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env pwsh | |
| <# | |
| .SYNOPSIS | |
| Tunnel-vision | |
| .DESCRIPTION | |
| Discovers and analyses the DNS environment to ensure it's ripe for Canary communication. | |
| Canaries don't communicate directly with a Canary Console and instead make use of DNS Tunnelling. | |
| This means that they exclusively generate DNS lookups (UDP/53) in order to alert, update and get new settings. |
0xForest
/ DFIR-RatPack.ps1
Last active
May 6, 2024 11:24
— forked from thinkst-cs/DFIR-RatPack.ps1
RATPACK - DFIR Common exes - Single Script to setup and alert on any of them executing on an endpoint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sensitive Command Manager | |
| # Note : This script must be run with administrative permissions. | |
| Param ( | |
| [string]$Action, | |
| [string]$Executable, | |
| [string]$Domain, | |
| [string]$ApiKey, | |
| [string]$IgnoreUser, |