InvokeThreatGuy invokethreatguy
invokethreatguy
/ WDACBaselining.ps1
Created
December 19, 2023 10:23
— forked from mattifestation/WDACBaselining.ps1
Script I use to make sense of code integrity audit/enforcement events for primarily baselining purposes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-CodeIntegrityEvent { | |
| <# | |
| .SYNOPSIS | |
| Returns code integrity event log audit/enforcement events in a more human-readable fashion. | |
| .DESCRIPTION | |
| Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining. |
invokethreatguy
/ UdpSpoofer.py
Created
December 15, 2023 18:15
— forked from zyzof/UdpSpoofer.py
Sending spoofed raw packets with scapy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from scapy.all import * | |
| import time | |
| ip = IP(dst='192.168.1.1', src='192.168.1.1') | |
| udp = UDP(sport=1234,dport=1234) | |
| payload = '\x01\x0f' | |
| packet = ip/udp/payload | |
| while(True): |
invokethreatguy
/ credentialGuard.ps1
Created
November 5, 2023 20:40
— forked from frayos/credentialGuard.ps1
Credential Guard checker Powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard | |
| if ($DevGuard.SecurityServicesConfigured -contains 1) {"Credential Guard configured"} | |
| if ($DevGuard.SecurityServicesRunning -contains 1) {"Credential Guard running"} | |
invokethreatguy
/ CredentialManager.cs
Created
September 7, 2023 18:18
— forked from meziantou/CredentialManager.cs
Using the Windows Credential API (CredRead, CredWrite, CredDelete, CredEnumerate).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // The most up to date version is available | |
| // on GitHub: https://github.com/meziantou/Meziantou.Framework/tree/master/src/Meziantou.Framework.Win32.CredentialManager | |
| // NuGet package: https://www.nuget.org/packages/Meziantou.Framework.Win32.CredentialManager/ | |
| using System; | |
| using System.Collections.Generic; | |
| using System.ComponentModel; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| using Microsoft.Win32.SafeHandles; |
invokethreatguy
/ ConsoleOutputLog.cs
Created
August 22, 2023 17:09
— forked from mikey-t/ConsoleOutputLog.cs
Simple C# utility class to output to both console and a log file at the same time. Use it by simply calling Output.Write() and Output.WriteLine().
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class Output | |
| { | |
| private readonly string LogDirPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "logs"); | |
| private static Output _outputSingleton; | |
| private static Output OutputSingleton | |
| { | |
| get | |
| { | |
| if (_outputSingleton == null) |
invokethreatguy
/ dotnet-runtime-etw.py
Created
August 22, 2023 16:02
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
invokethreatguy
/ ServiceInstaller.cs
Created
August 15, 2023 15:25
— forked from FusRoDah061/ServiceInstaller.cs
Class for installing windows service on C#
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Threading; | |
| */ | |
| /// <summary> | |
| /// <para> | |
| /// Sources: | |
| /// <para>https://stackoverflow.com/questions/358700/how-to-install-a-windows-service-programmatically-in-c </para> |
invokethreatguy
/ privtasks.ps1
Created
August 15, 2023 15:15
— forked from wdormann/privtasks.ps1
List privileged scheduled tasks that don't come with Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
| if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
| Write-Warning "We don't have elevated privileges. The following results may not be complete." | |
| } | |
| schtasks /query /fo csv -v | ConvertFrom-Csv | ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\*" -and $_.TaskName -notlike "\Microsoft\Office\*" -and $_.TaskName -notlike "\Microsoft\XblGameSave\*" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "*system" -or $_."Run As User" -like "Administrator*")} | fl taskname,"Comment","Task To Run","Run As User" |
invokethreatguy
/ DetectOpenFiles.cs
Created
June 24, 2022 16:17
— forked from manuc66/ DetectOpenFiles.cs
Backup of DetectOpenFiles.cs originated from https://vmccontroller.codeplex.com/SourceControl/changeset/view/47386#195318
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.EnterpriseServices; | |
| using System.IO; | |
| using System.Runtime.CompilerServices; | |
| using System.Runtime.ConstrainedExecution; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Permissions; | |
| using System.Text; | |
| using System.Threading; |
invokethreatguy
/ procmon.py
Created
April 10, 2022 15:42
— forked from nikolay-n/procmon.py
ObjSee ProcessMonitor wrapper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from __future__ import print_function | |
| import os | |
| import subprocess | |
| import threading | |
| import json | |
| # ProcessMonitor need to download from https://objective-see.com/products/utilities.html | |
| # and put to /Applications/ folder | |
| # also give Terminal.app Full Disk Access |
NewerOlder