Ghost-Developmentx
/ Monitor-for-Attacks.ps1
Created
October 24, 2025 22:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Real-time LSASS access monitoring | |
| Get-WinEvent -FilterHashtable @{LogName='Security';ID=4656,4663} -MaxEvents 100 | Where-Object {$_.Message -match "lsass"} | |
| # Check for dump files | |
| Get-ChildItem C:\ -Recurse -Filter *.dmp -ErrorAction SilentlyContinue | Where-Object {$_.Name -match "lsass"} |
Ghost-Developmentx
/ Check-Protection-Status.ps1
Created
October 24, 2025 22:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Check WDigest | |
| Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" | |
| # Check Credential Guard | |
| Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | |
| # Check LSASS PPL | |
| Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" |
Ghost-Developmentx
/ Enable-Core-Protections.ps1
Created
October 24, 2025 22:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Disable WDigest | |
| New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value 0 -PropertyType DWORD -Force | |
| # Enable LSASS PPL | |
| New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 -PropertyType DWORD -Force | |
| # Enable ASR rule for LSASS protection | |
| Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled |
Ghost-Developmentx
/ Lab-Testing-Script.ps1
Created
October 24, 2025 22:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Purple Team Lab Testing Framework | |
| function Start-LsassLabTest { | |
| param( | |
| [Parameter(Mandatory)] | |
| [ValidateSet('Baseline', 'TaskManager', 'Comsvcs', 'ProcDump', 'DirectSyscall')] | |
| [string]$TestScenario, | |
| [string]$TargetHost = "WS01", | |
| [string]$SiemHost = "192.168.100.40", | |
| [int]$WaitTimeSeconds = 60 |
Ghost-Developmentx
/ Lab-Environment.ps1
Created
October 24, 2025 22:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create isolated lab environment (Domain Controller + Workstation) | |
| # Use Hyper-V, VMware, or VirtualBox | |
| # Lab Architecture: | |
| # 1. Domain Controller (DC01) - Windows Server 2022 | |
| # 2. Workstation (WS01) - Windows 11 Enterprise | |
| # 3. Attacker box (Kali/Windows) - for testing tools | |
| # 4. SIEM/Log collector (Ubuntu with ELK stack or Splunk) | |
| # Network: Isolated virtual network (no internet access) |
Ghost-Developmentx
/ Quick-deployment-script.ps1
Created
October 24, 2025 22:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick deployment script for critical defenses | |
| function Enable-LsassHardening { | |
| [CmdletBinding(SupportsShouldProcess)] | |
| param( | |
| [switch]$Force | |
| ) | |
| if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
| Write-Error "This script requires Administrator privileges" | |
| return |
Ghost-Developmentx
/ testing-framework.ps1
Created
October 24, 2025 22:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Purple Team Testing Framework | |
| function Test-LsassDefenses { | |
| [CmdletBinding()] | |
| param( | |
| [switch]$TestWDigest, | |
| [switch]$TestCredGuard, | |
| [switch]$TestPPL, | |
| [switch]$TestMonitoring, | |
| [switch]$TestASR, | |
| [switch]$GenerateReport |
Ghost-Developmentx
/ Deploy-fake-credentials.ps1
Created
October 24, 2025 22:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This technique injects fake credentials into LSASS | |
| # When dumped, attackers will attempt to use fake credentials | |
| # Triggering alerts when fake creds are used | |
| # Note: Requires specialized tools like: | |
| # - DCEPT (Active Directory honeypot) | |
| # - Canarytokens | |
| # - Commercial deception platforms (Illusive Networks, Attivo, etc.) | |
| # Example using PowerShell (simplified concept): |
Ghost-Developmentx
/ Honeypot.ps1
Created
October 24, 2025 22:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create honeypot user account | |
| $honeyUsername = "administrator_backup" | |
| $honeyPassword = ConvertTo-SecureString "P@ssw0rdBackup2025!" -AsPlainText -Force | |
| # Create account with description to make it look legitimate | |
| New-LocalUser -Name $honeyUsername -Password $honeyPassword -Description "Backup administrator account - DO NOT USE" | |
| Add-LocalGroupMember -Group "Administrators" -Member $honeyUsername | |
| # Set account to never expire | |
| Set-LocalUser -Name $honeyUsername -PasswordNeverExpires $true |
Ghost-Developmentx
/ detection-rules.yaml
Created
October 24, 2025 22:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: LSASS Memory Dump via Comsvcs.dll | |
| id: a49fa4d5-11db-418c-8473-1e014a74f0d6 | |
| status: stable | |
| description: Detects LSASS memory dumping using comsvcs.dll MiniDump function | |
| references: | |
| - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ | |
| author: Security Operations Team | |
| date: 2025/10/24 | |
| tags: | |
| - attack.credential_access |