Ghost-Developmentx
/ Monitor-LSASS-access.ps1
Created
October 25, 2025 13:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Enable audit policy for process access | |
| auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable | |
| auditpol /set /subcategory:"Process Creation" /success:enable | |
| # Create scheduled task to monitor LSASS access | |
| $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument @" | |
| -NoProfile -WindowStyle Hidden -Command " | |
| Get-WinEvent -FilterHashtable @{LogName='Security';ID=4656,4663} | | |
| Where-Object {`$_.Message -match 'lsass.exe'} | | |
| ForEach-Object { |
Ghost-Developmentx
/ PowerShell-enablement.ps1
Created
October 25, 2025 13:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Enable Credential Guard (requires restart) | |
| # Requires: Windows 10 Enterprise/Education, Windows 11, Server 2016+ | |
| # Hardware: TPM 2.0, UEFI, Virtualization extensions | |
| # Enable via registry | |
| New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Force | |
| New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" ` | |
| -Name "EnableVirtualizationBasedSecurity" -Value 1 -PropertyType DWORD -Force | |
| New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" ` | |
| -Name "RequirePlatformSecurityFeatures" -Value 3 -PropertyType DWORD -Force |
Ghost-Developmentx
/ Lateral-movement-with-LSASS.ps1
Created
October 25, 2025 13:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Remote execution using WMI | |
| $target = "DC01.contoso.com" | |
| $cred = Get-Credential | |
| # Create remote CIM session | |
| $session = New-CimSession -ComputerName $target -Credential $cred | |
| # Execute remote dump | |
| Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{ | |
| CommandLine = 'rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 652 C:\Windows\Temp\lsass.dmp full' |
Ghost-Developmentx
/ Attack-Chain-Timeline.txt
Created
October 24, 2025 22:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Attack Chain Timeline | |
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β 1. Initial Access (T1078β-βValid Accounts) | |
| β β Phishing email with malicious attachment | |
| β β User opens document, macro executes | |
| βΒ | |
| β 2. Execution (T1059β-βCommand and Scripting) | |
| β β PowerShell beacon established | |
| β β C2 communication initiated |
Ghost-Developmentx
/ Defense-Layers.txt
Created
October 24, 2025 22:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Defense Layers (Zero Trust) | |
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β | |
| β Layer 7: Security Monitoring & IR | |
| β ββ SIEM/SOAR integration | |
| β ββ 24/7 SOC monitoring | |
| β ββ Automated response playbooks | |
| β | |
| β Layer 6: Identity Protection |
Ghost-Developmentx
/ Detection-Pipeline.txt
Created
October 24, 2025 22:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Detection Pipeline | |
| βββββββββββββββββββββββββββββββββββββββββββββββ | |
| β | |
| β 1. Endpoint Detection (EDR) | |
| β ββ Process monitoring (API hooks) | |
| β ββ Memory access detection | |
| β ββ Behavioral analysis | |
| β β | |
| β 2. Event Collection (Sysmon/Windows Event Log) |
Ghost-Developmentx
/ Emerging-Technologies.txt
Created
October 24, 2025 22:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Future Protection Mechanisms β | |
| ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ | |
| β β | |
| β β’ Hardware-based isolation (Pluton, TPM 3.0) β | |
| β β’ Machine learning anomaly detection β | |
| β β’ Passwordless authentication (FIDO2, Windows Hello) β | |
| β β’ Zero Trust architecture (continuous verification) β | |
| β β’ Ephemeral credentials (short-lived tokens) β | |
| β β’ Confidential computing (encrypted memory) β |
Ghost-Developmentx
/ Passwordless-Future.ps1
Created
October 24, 2025 22:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Windows Hello for Business deployment | |
| # Replaces passwords with cryptographic keys | |
| # Benefits: | |
| # - Credentials never in memory as plaintext | |
| # - Biometric or PIN authentication | |
| # - TPM-protected private keys | |
| # - Phishing-resistant | |
| # Check Windows Hello status |
Ghost-Developmentx
/ arms-race.txt
Created
October 24, 2025 22:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| β Modern Defense Strategy β | |
| ββββββββββββββββββββββββββββββββββββββββββββββββββββ€ | |
| β β | |
| β Short Term: Harden existing systems β | |
| β ββ Credential Guard everywhere possible β | |
| β ββ RunAsPPL on all systems β | |
| β ββ WDigest disabled globally β | |
| β ββ Comprehensive monitoring β | |
| β β |
Ghost-Developmentx
/ Emergency-Response.ps1
Created
October 24, 2025 22:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Force password resets | |
| Set-ADUser -Identity USERNAME -ChangePasswordAtLogon $true | |
| # Revoke Kerberos tickets | |
| Invoke-Command -ComputerName HOSTNAME -ScriptBlock {klist purge} | |
| # Reset computer account | |
| Reset-ComputerMachinePassword -Server DC01 |
NewerOlder