I hereby claim:
- I am kevinelwell on github.
- I am kevinelwell (https://keybase.io/kevinelwell) on keybase.
- I have a public key ASCNviubvngJsDWHfGtJfWhji8Dh6Yj25zzKt4f5noVocgo
To claim this, I am signing this object:
Kevin kevinelwell
kevinelwell
/ PSFalcon-KAPE-Forensics.ps1
Created
June 7, 2023 19:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 5.1 | |
| #Requires -Modules @{ModuleName='PSFalcon';ModuleVersion='2.2.1'} | |
| #Requires -RunAsAdministrator | |
| <# | |
| .SYNOPSIS | |
| This script will copy and execute the KAPE forensics tool on a remote | |
| Microsoft Windows host using CrowdStrike API's and RTR | |
| .DESCRIPTION |
kevinelwell
/ Pull_logs_and_zip.ps1
Created
January 26, 2023 13:45
— forked from Purp1eW0lf/Pull_logs_and_zip.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| # Set variables | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| $basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
| $remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
kevinelwell
/ Sysmon_Lab.ps1
Created
January 26, 2023 13:43
— forked from Purp1eW0lf/Sysmon_Lab.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2022 March 28th | |
| Authors: Dray Agha (Twitter @purp1ew0lf) | |
| Company: Huntress Labs | |
| Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. | |
| #> | |
| function admin_check{ | |
| if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` |
kevinelwell
/ Install_sysmon.ps1
Created
January 26, 2023 13:41
— forked from Purp1eW0lf/Install_sysmon.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2022 June 30th | |
| Authors: Dray Agha (Twitter @purp1ew0lf) | |
| Company: Huntress Labs | |
| Purpose: Automate setting up Sysmon with Florian Roth's ruleset. | |
| Sysmon log can be found in C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx | |
| #> | |
| function admin_check{ |
kevinelwell
/ Registry_Collect.ps1
Created
January 26, 2023 13:39
— forked from Purp1eW0lf/Registry_Collect.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2023 January 7th | |
| Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) | |
| Company: Huntress Labs | |
| Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. | |
| Notes: | |
| Will trigger AV as it's technically credential dumping. | |
| Also relies on having internet access, to wget TSCopy | |
| Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 5.1 | |
| #Requires -Modules PSFalcon | |
| <# | |
| .SYNOPSIS | |
| This script will copy and execute the KAPE forensics tool on a remote | |
| Microsoft Windows host using CrowdStrike API's and RTR | |
| .DESCRIPTION | |
| Script that leverages the PSFalcom PowerShell module |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am kevinelwell on github. | |
| * I am kevinelwell (https://keybase.io/kevinelwell) on keybase. | |
| * I have a public key whose fingerprint is D078 A711 C45E 3211 CBA5 9424 7CE1 FD34 741F 76A8 | |
| To claim this, I am signing this object: |
kevinelwell
/ keybase.md
Created
December 10, 2019 02:12