| # A script that will safely remove adversary footholds on systems. | |
| # | |
| # Be sure to replace your observables down below. Be careful not to | |
| # included LOLBINs as they cannot be safely killed this way. Use | |
| # Kill-Threads.ps1 for those. | |
| # | |
| # Used with great success during CF20 | |
| # | |
| # Author: Eric Capuano |
| name: Custom.CapsSysmon.Deploy | |
| description: | | |
| A quick and dirty way to download and install sysmon via Velociraptor | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT | |
| parameters: | |
| - name: sysmonURL | |
| default: http://url.to/sysmon8_64.exe | |
| - name: binPath | |
| default: C:\sysmon.exe |
Update: I created jq-zsh-plugin that does this.
One of my favourite tools of my trade is jq. It essentially enables you to process json streams with the same power that sed, awk and grep provide you with for editing line-based formats (csv, tsv, etc.).
Another one of my favourite tools is fzf.
| # -*- coding: utf-8 -*- | |
| import sys | |
| # Convert latitude and longitude to Maidenhead grid locators. | |
| # | |
| # Arguments are in signed decimal latitude and longitude. For example, | |
| # the location of my QTH Palo Alto, CA is: 37.429167, -122.138056 or | |
| # in degrees, minutes, and seconds: 37° 24' 49" N 122° 6' 26" W | |
| # |
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
