I hereby claim:
- I am kevinelwell on github.
- I am kevinelwell (https://keybase.io/kevinelwell) on keybase.
- I have a public key ASCNviubvngJsDWHfGtJfWhji8Dh6Yj25zzKt4f5noVocgo
To claim this, I am signing this object:
#Requires -Version 5.1 | |
#Requires -Modules @{ModuleName='PSFalcon';ModuleVersion='2.2.1'} | |
#Requires -RunAsAdministrator | |
<# | |
.SYNOPSIS | |
This script will copy and execute the KAPE forensics tool on a remote | |
Microsoft Windows host using CrowdStrike API's and RTR | |
.DESCRIPTION |
#Ensure errors don't ruin anything for us | |
$ErrorActionPreference = "SilentlyContinue" | |
# Set variables | |
$DesktopPath = [Environment]::GetFolderPath("Desktop") | |
$basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
$remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
<# | |
Meta | |
Date: 2022 March 28th | |
Authors: Dray Agha (Twitter @purp1ew0lf) | |
Company: Huntress Labs | |
Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. | |
#> | |
function admin_check{ | |
if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` |
<# | |
Meta | |
Date: 2022 June 30th | |
Authors: Dray Agha (Twitter @purp1ew0lf) | |
Company: Huntress Labs | |
Purpose: Automate setting up Sysmon with Florian Roth's ruleset. | |
Sysmon log can be found in C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx | |
#> | |
function admin_check{ |
<# | |
Meta | |
Date: 2023 January 7th | |
Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) | |
Company: Huntress Labs | |
Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. | |
Notes: | |
Will trigger AV as it's technically credential dumping. | |
Also relies on having internet access, to wget TSCopy | |
Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy |
#Requires -Version 5.1 | |
#Requires -Modules PSFalcon | |
<# | |
.SYNOPSIS | |
This script will copy and execute the KAPE forensics tool on a remote | |
Microsoft Windows host using CrowdStrike API's and RTR | |
.DESCRIPTION | |
Script that leverages the PSFalcom PowerShell module |
### Keybase proof | |
I hereby claim: | |
* I am kevinelwell on github. | |
* I am kevinelwell (https://keybase.io/kevinelwell) on keybase. | |
* I have a public key whose fingerprint is D078 A711 C45E 3211 CBA5 9424 7CE1 FD34 741F 76A8 | |
To claim this, I am signing this object: |
I hereby claim:
To claim this, I am signing this object: