Ghost-Developmentx
/ Enable-Core-Protections.ps1
Created
October 24, 2025 22:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Disable WDigest | |
| New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value 0 -PropertyType DWORD -Force | |
| # Enable LSASS PPL | |
| New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 -PropertyType DWORD -Force | |
| # Enable ASR rule for LSASS protection | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled |
Ghost-Developmentx
/ Check-Protection-Status.ps1
Created
October 24, 2025 22:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Check WDigest | |
| Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" | |
| # Check Credential Guard | |
| Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | |
| # Check LSASS PPL | |
| Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" |
Ghost-Developmentx
/ Monitor-for-Attacks.ps1
Created
October 24, 2025 22:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Real-time LSASS access monitoring | |
| Get-WinEvent -FilterHashtable @{LogName='Security';ID=4656,4663} -MaxEvents 100 | Where-Object {$_.Message -match "lsass"} | |
| # Check for dump files | |
| Get-ChildItem C:\ -Recurse -Filter *.dmp -ErrorAction SilentlyContinue | Where-Object {$_.Name -match "lsass"} |
Ghost-Developmentx
/ Emergency-Response.ps1
Created
October 24, 2025 22:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Force password resets | |
| Set-ADUser -Identity USERNAME -ChangePasswordAtLogon $true | |
| # Revoke Kerberos tickets | |
| Invoke-Command -ComputerName HOSTNAME -ScriptBlock {klist purge} | |
| # Reset computer account | |
| Reset-ComputerMachinePassword -Server DC01 |
Ghost-Developmentx
/ arms-race.txt
Created
October 24, 2025 22:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Modern Defense Strategy β | |
| ββββββββββββββββββββββββββββββββββββββββββββββββββββ€ | |
| β β | |
| β Short Term: Harden existing systems β | |
| β ββ Credential Guard everywhere possible β | |
| β ββ RunAsPPL on all systems β | |
| β ββ WDigest disabled globally β | |
| β ββ Comprehensive monitoring β | |
| β β |
Ghost-Developmentx
/ Passwordless-Future.ps1
Created
October 24, 2025 22:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Windows Hello for Business deployment | |
| # Replaces passwords with cryptographic keys | |
| # Benefits: | |
| # - Credentials never in memory as plaintext | |
| # - Biometric or PIN authentication | |
| # - TPM-protected private keys | |
| # - Phishing-resistant | |
| # Check Windows Hello status |
Ghost-Developmentx
/ Emerging-Technologies.txt
Created
October 24, 2025 22:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Future Protection Mechanisms β | |
| ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ | |
| β β | |
| β β’ Hardware-based isolation (Pluton, TPM 3.0) β | |
| β β’ Machine learning anomaly detection β | |
| β β’ Passwordless authentication (FIDO2, Windows Hello) β | |
| β β’ Zero Trust architecture (continuous verification) β | |
| β β’ Ephemeral credentials (short-lived tokens) β | |
| β β’ Confidential computing (encrypted memory) β |
Ghost-Developmentx
/ Detection-Pipeline.txt
Created
October 24, 2025 22:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Detection Pipeline | |
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β | |
| β 1. Endpoint Detection (EDR) | |
| β ββ Process monitoring (API hooks) | |
| β ββ Memory access detection | |
| β ββ Behavioral analysis | |
| β β | |
| β 2. Event Collection (Sysmon/Windows Event Log) |
Ghost-Developmentx
/ Defense-Layers.txt
Created
October 24, 2025 22:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Defense Layers (Zero Trust) | |
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β | |
| β Layer 7: Security Monitoring & IR | |
| β ββ SIEM/SOAR integration | |
| β ββ 24/7 SOC monitoring | |
| β ββ Automated response playbooks | |
| β | |
| β Layer 6: Identity Protection |
Ghost-Developmentx
/ Attack-Chain-Timeline.txt
Created
October 24, 2025 22:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Attack Chain Timeline | |
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β 1. Initial Access (T1078β-βValid Accounts) | |
| β β Phishing email with malicious attachment | |
| β β User opens document, macro executes | |
| βΒ | |
| β 2. Execution (T1059β-βCommand and Scripting) | |
| β β PowerShell beacon established | |
| β β C2 communication initiated |