dezhub

function Get-Doppelgangers
{
    <# 
    .SYNOPSIS 
    
    Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
     
    Author: Joe Desimone (@dez_) 
    License: BSD 3-Clause 
    

mattifestation

# https://github.com/mattifestation/CatalogTools
Import-Module CatalogTools

# install.wim was mounted to C:\Mount with Mount-WindowsImage
$SystemCatalogEntries = ls -Path C:\Mount -Include '*.cat' -Recurse | % {
    $CatalogInfo = Get-CatalogFile -Path $_.FullName
    $FilePath = 'C:' + $CatalogInfo.FilePath.Path.Substring(8)

    $CatalogInfo.CatalogMembers | ? { $_.HashInfo.Algorithm -and $_.HashInfo.FileHash } | % {
        $Hint = $null

mattifestation

"Algorithm","Hash","CatalogPath","Hint"
"SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat",
"SHA256","F5EEEC38876E48617643A9E735A30B9EC3D08D77075CD81F239A15626E3F7DD5","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat",
"SHA256","4BA33EC224E42FC929BA6487041C2C4275C5BCA66CD89471A09BC7F522A5661F","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat",
"SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat",

Mr-Un1k0d3r

#!/bin/bash
echo "Cloning $1"
wget $1 -O index.html &> /dev/null
TAG="<base href=\"$1\"/></head>"
sed '/<\/head>/i\'"$TAG" index.html | tee index.html &> /dev/null
echo "index.html was saved and modified"

ropnop

#!/bin/bash

# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful

ivanstan

$context=array(
    "ssl"=>array(
        "allow_self_signed"=>true,
        "verify_peer"=>false,
    ),
);

file_get_contents("https://example.com/", false, stream_context_create($context));

mubix

• How to Build a Successful Information Security Career (Daniel Miessler)
  • https://danielmiessler.com/blog/build-successful-infosec-career/#gs.DtVCbbw
• The First Steps to a Career in Information Security (Errata Security - Marisa Fagan)
  • http://blog.erratasec.com/2010/04/first-steps-to-career-in-information.html#.WFrbofkrIuU
• Hiring your first Security Professional (Peerlyst - Dawid Balut)
  • https://www.peerlyst.com/posts/hiring-your-first-security-professional-dawid-balut
• How to Start a Career in Cyber security
  • https://www.concise-courses.com/security/how-to-start-your-career/
• How to Get Into Information Security (ISC^2)
• https://www.isc2.org/how-to-get-into-information-security.aspx

exp0se

# Logparser 


###############
# Security Log
###############

# Find Event id
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'"

exp0se

#Security log
#============
####
#4624 - Logon & Logoff events successful
#4625 - Logon unsucceful

####
# Get usernames
Get-WinEvent -path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique 
# Get domains

netson

PSAD and Logstash

Table of Contents

• What are we doing here?
• What is PSAD?
• What is Logstash?
• Using PSAD and Logstash
• First, configure rsyslog
• Then, configure logstash patterns