| #This script reads the Sysmon event logs, gets process IDs from the event and dumps its memory. | |
| #Since task scheduler cannot provide the process id as an input for the script, we have to read Sysmon logs to get the process Ids. | |
| $events=Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sysmon"; Id = 11; StartTime = [datetime]::Now.AddMinutes(-20)} -ErrorAction Stop | |
| #the below function was copied from PowerSploit. | |
| #It dumps the full memory of a given process Id into a specified folder. | |
| function Out-Minidump { | |
| <# SNIPPED SECTION #> |
| <#snipped section#> | |
| #get events related to the honeyfolder. this time we are using eventId 4656. | |
| $events=Get-WinEvent -FilterHashtable @{LogName="Security"; Id = 4656; StartTime = [datetime]::Now.AddMinutes(-5)} |Where-Object -Property Message -Match 'honeyfolder' | Where-Object -Property Message -Match ('Read|DELETE|WriteData') -ErrorAction Stop | |
| <#snipped section#> | |
| #process Id is in hex format in EventID 4656, need to convert it to integer using [int]. | |
| foreach ($event in $events) { | |
| #parse the process Id. | |
| $processId=[int][regex]::Match($event.message,'Process\sID\:\s+(0x.+)\s').captures.groups[1].Value |
| # Log the time prior to executing the action. | |
| # This will be used as parth of an event log XPath filter. | |
| $DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc) | |
| # Do the thing now that you want to see potential relevant events surface... | |
| $null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly | |
| # Allow a moment to allow events to populate | |
| Start-Sleep -Seconds 5 |
While this gist has been shared and followed for years, I regret not giving more background. It was originally a gist for the engineering org I was in, not a "general suggestion" for any React app.
Typically I avoid folders altogether. Heck, I even avoid new files. If I can build an app with one 2000 line file I will. New files and folders are a pain.
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $wc = New-Object System.Net.WebClient | |
| if (!(Test-Path "C:\Tools")) { | |
| New-Item -Path "C:\" -Name "Tools" -ItemType "directory" | |
| } | |
| # SYSMON | |
| # Download Sysmon | |
| $SysmonDirectory = "C:\Tools\Sysmon\" |
| from datetime import datetime, timedelta | |
| from os import path | |
| import sqlite3 | |
| import time | |
| import json | |
| # =================== | |
| # DATABASE OPERATIONS | |
| # =================== | |
| def sqlite_instantiate(dbconfig, table="hashes"): |
| #import office 365 session | |
| $UserCredential = Get-Credential | |
| $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection | |
| Import-PSSession $Session | |
| #connect Azure AD | |
| Connect-MsolService -Credential $UserCredential | |
| #Random password generator | |
| Function random-password ($length = 8) |
| """ | |
| Transform a binary file into a C header file. | |
| The binary file is splitted into 16 char strings and rebuild at execution time. | |
| The function buildsc() must be called in your main to rebuild the binary file into the sc C variable. | |
| The length is set in the sc_length variable. | |
| Be carefull, try to avoid compiler code optimization as it will remove all these modifications in the final binary. | |
| """ |