Jonathan Johnson jonny-jhnson

## logman-examples.txt
// Create Remote Trace Session
logman -s Wakanda-Wrkstn create trace -n KernelAPICallTrace -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

logman -s Wakanda-Wrkstn create trace -n "Service\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

logman -s Wakanda-Wrkstn create trace -n "Autosession\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

// Query Remote Trace Sessions
logman -s Wakanda-Wrkstn query -ets

## Threat-Intelligence-Events.csv

          
            EventId
            Event Description

            
              1
              THREATINT_ALLOCVM_REMOTE

            
              2
              THREATINT_PROTECTVM_REMOTE

            
              3
              THREATINT_MAPVIEW_REMOTE

            
              4
              THREATINT_QUEUEUSERAPC_REMOTE

            
              5
              THREATINT_SETTHREADCONTEXT_REMOTE

            
              6
              THREATINT_ALLOCVM_LOCAL

            
              7
              THREATINT_PROTECTVM_LOCAL

            
              8
              THREATINT_MAPVIEW_LOCAL

            
              11
              THREATINT_READVM_LOCAL

## Get-IntegrityLevel.ps1

if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
    $TypeDef = @'
 using System;
 using System.Runtime.InteropServices;
 namespace TokenInformation {
     [Flags]
     public enum ProcessAccess {
         All = 0x001FFFFF,
         Terminate = 0x00000001,

## ProtectionChecks.ps1
#Author: Jonthan Johnson (@jsecurity101)

if (-not ('ProtectedObjects.ProcessNativeMethods' -as [Type])) {
    $TypeDef = @'
using System;
using System.Runtime.InteropServices;
namespace ProtectedObjects {

    [Flags]
    public enum ProcessAccess {

## 23H2.txt
+0x000 Pcb              : _KPROCESS
   +0x438 ProcessLock      : _EX_PUSH_LOCK
   +0x440 UniqueProcessId  : Ptr64 Void
   +0x448 ActiveProcessLinks : _LIST_ENTRY
   +0x458 RundownProtect   : _EX_RUNDOWN_REF
   +0x460 Flags2           : Uint4B
   +0x460 JobNotReallyActive : Pos 0, 1 Bit
   +0x460 AccountingFolded : Pos 1, 1 Bit
   +0x460 NewProcessReported : Pos 2, 1 Bit
   +0x460 ExitProcessReported : Pos 3, 1 Bit

## GrabTools.ps1
$EtwInspectorURL = "https://github.com/jsecurity101/ETWInspector/releases/download/1.0/EtwInspector.exe"
$JonMonURL = "https://github.com/jsecurity101/JonMon/releases/download/Beta-0.01/JonMon.zip"

$EtwInspecter = "EtwInspector.exe"
$JonMonZIP = "JonMon.zip"

# Download the file using Invoke-WebRequest
Write-Output "Downloading EtwINspector..."
Invoke-WebRequest -Uri $EtwInspectorURL -OutFile $EtwInspecter
Write-Output "EtwInspector Downloaded"

## Get-FwFilterFilterKey.txt
PS > Get-FwFilter -Key 8560068a-cb5a-4521-84cf-e1c0072dc359 | Format-FwFilter
Name       : Custom Outbound Filter
Action Type: Block
Key        : 8560068a-cb5a-4521-84cf-e1c0072dc359
Id         : 68421
Description:
Layer      : FWPM_LAYER_ALE_AUTH_CONNECT_V4
Sub Layer  : FWPM_SUBLAYER_UNIVERSAL
Flags      : Persistent, Indexed
Weight     : 274877906944

## Get-FwFilterFilterId.txt
PS > Get-FwFilter -Id 68421 | Format-FwFilter
Name       : Custom Outbound Filter
Action Type: Block
Key        : 8560068a-cb5a-4521-84cf-e1c0072dc359
Id         : 68421
Description:
Layer      : FWPM_LAYER_ALE_AUTH_CONNECT_V4
Sub Layer  : FWPM_SUBLAYER_UNIVERSAL
Flags      : Persistent, Indexed
Weight     : 274877906944

## LDAPQueries.md

      
              1 file
            
          
              2 forks
            
          
                0 comments
              
            
              4 stars
            
          
                jonny-jhnson
                / LDAPQueries.md
            
            
              Created
              October 25, 2023 15:05
            
              
                List of known LDAP queries used by attackers
              
          
    List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

Kerberoasting

(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))


Attributes with passwords
(userpassword=*)


## Get-RunningVulnDrivers.ps1
$LoadedDrivers = Get-CimInstance -ClassName Win32_SystemDriver

$LoadedDrivers | % {
if ($_.PathName -ne $null) {
        # Check if the path starts with \??\ and adjust the relative path
        if ($_.PathName.StartsWith("\??\")) {
            $RelativePath = $_.PathName.Remove(0,4)
        } else {
            $RelativePath = $_.PathName
        }
	// Create Remote Trace Session
	logman -s Wakanda-Wrkstn create trace -n KernelAPICallTrace -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

	logman -s Wakanda-Wrkstn create trace -n "Service\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

	logman -s Wakanda-Wrkstn create trace -n "Autosession\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

	// Query Remote Trace Sessions
	logman -s Wakanda-Wrkstn query -ets
	EventId	Event Description
	1	THREATINT_ALLOCVM_REMOTE
	2	THREATINT_PROTECTVM_REMOTE
	3	THREATINT_MAPVIEW_REMOTE
	4	THREATINT_QUEUEUSERAPC_REMOTE
	5	THREATINT_SETTHREADCONTEXT_REMOTE
	6	THREATINT_ALLOCVM_LOCAL
	7	THREATINT_PROTECTVM_LOCAL
	8	THREATINT_MAPVIEW_LOCAL
	11	THREATINT_READVM_LOCAL

	if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
	$TypeDef = @'
	using System;
	using System.Runtime.InteropServices;
	namespace TokenInformation {
	[Flags]
	public enum ProcessAccess {
	All = 0x001FFFFF,
	Terminate = 0x00000001,
	#Author: Jonthan Johnson (@jsecurity101)

	if (-not ('ProtectedObjects.ProcessNativeMethods' -as [Type])) {
	$TypeDef = @'
	using System;
	using System.Runtime.InteropServices;
	namespace ProtectedObjects {

	[Flags]
	public enum ProcessAccess {
	+0x000 Pcb : _KPROCESS
	+0x438 ProcessLock : _EX_PUSH_LOCK
	+0x440 UniqueProcessId : Ptr64 Void
	+0x448 ActiveProcessLinks : _LIST_ENTRY
	+0x458 RundownProtect : _EX_RUNDOWN_REF
	+0x460 Flags2 : Uint4B
	+0x460 JobNotReallyActive : Pos 0, 1 Bit
	+0x460 AccountingFolded : Pos 1, 1 Bit
	+0x460 NewProcessReported : Pos 2, 1 Bit
	+0x460 ExitProcessReported : Pos 3, 1 Bit
	$EtwInspectorURL = "https://github.com/jsecurity101/ETWInspector/releases/download/1.0/EtwInspector.exe"
	$JonMonURL = "https://github.com/jsecurity101/JonMon/releases/download/Beta-0.01/JonMon.zip"

	$EtwInspecter = "EtwInspector.exe"
	$JonMonZIP = "JonMon.zip"

	# Download the file using Invoke-WebRequest
	Write-Output "Downloading EtwINspector..."
	Invoke-WebRequest -Uri $EtwInspectorURL -OutFile $EtwInspecter
	Write-Output "EtwInspector Downloaded"
	PS > Get-FwFilter -Key 8560068a-cb5a-4521-84cf-e1c0072dc359 \| Format-FwFilter
	Name : Custom Outbound Filter
	Action Type: Block
	Key : 8560068a-cb5a-4521-84cf-e1c0072dc359
	Id : 68421
	Description:
	Layer : FWPM_LAYER_ALE_AUTH_CONNECT_V4
	Sub Layer : FWPM_SUBLAYER_UNIVERSAL
	Flags : Persistent, Indexed
	Weight : 274877906944
	PS > Get-FwFilter -Id 68421 \| Format-FwFilter
	Name : Custom Outbound Filter
	Action Type: Block
	Key : 8560068a-cb5a-4521-84cf-e1c0072dc359
	Id : 68421
	Description:
	Layer : FWPM_LAYER_ALE_AUTH_CONNECT_V4
	Sub Layer : FWPM_SUBLAYER_UNIVERSAL
	Flags : Persistent, Indexed
	Weight : 274877906944
	$LoadedDrivers = Get-CimInstance -ClassName Win32_SystemDriver

	$LoadedDrivers \| % {
	if ($_.PathName -ne $null) {
	# Check if the path starts with \??\ and adjust the relative path
	if ($_.PathName.StartsWith("\??\")) {
	$RelativePath = $_.PathName.Remove(0,4)
	} else {
	$RelativePath = $_.PathName
	}