Skip to content

Instantly share code, notes, and snippets.

Avatar

Matthew Green mgreen27

View GitHub Profile
@mgreen27
mgreen27 / Get-KerberosTicketGrantingTicket.ps1
Created Sep 23, 2020
Get-KerberosTicketGrantingTicket.ps1
View Get-KerberosTicketGrantingTicket.ps1
function Get-KerberosTicketGrantingTicket
{
<# __CYberCX__
.SYNOPSIS
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
.DESCRIPTION
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
@mgreen27
mgreen27 / Get-KerberosTicketCache.ps1
Last active Sep 22, 2020
Get-KerberosTicketCache
View Get-KerberosTicketCache.ps1
function Get-KerberosTicketCache
{
<# __CyberCX__
Author: Jared Atkinson (@_jaredca_tkinson)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.EXAMPLE
@mgreen27
mgreen27 / iddqd.yar
Created Sep 5, 2020 — forked from Neo23x0/iddqd.yar
IDDQD - Godmode YARA Rule
View iddqd.yar
/*
_____ __ __ ___ __
/ ___/__ ___/ / / |/ /__ ___/ /__
/ (_ / _ \/ _ / / /|_/ / _ \/ _ / -_)
\___/\___/\_,_/_/_/__/_/\___/\_,_/\__/
\ \/ / _ | / _ \/ _ | / _ \__ __/ /__
\ / __ |/ , _/ __ | / , _/ // / / -_)
/_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/
Florian Roth - v0.5.0 October 2019
@mgreen27
mgreen27 / Get-InjectedThread.ps1
Last active Aug 20, 2020 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
View Get-InjectedThread.ps1
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@mgreen27
mgreen27 / deleteClient.sh
Created Jan 1, 2020
deleteClient.sh is a quick script to delete a client from a Velociraptor installation
View deleteClient.sh
#!/bin/bash
# deleteClient.sh is a quick script to delete a client from a Velociraptor installation
# author: @mgreen27
# usage: ./deleteClient [hostname|client_id]
# Set standard path variables
FOLDER=/opt/vraptor
BINFOLDER=/usr/local/bin
CONFIG=/etc/velociraptor
@mgreen27
mgreen27 / buildLocalLR.sh
Last active Jun 19, 2020
Velociraptor local live response configuration files
View buildLocalLR.sh
#!/bin/bash
#
# Author: Matt Green - @mgreen27
# Description: script to download and build x64 and x86 Velociraptor local live response tool
# 3rd party binaries embedded in output files
# Linux requirements: wget, curl, zip
# Tested: Velociraptor 0.3.7
# latest Velociraptor release binary from github
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)"
View o365-kb.md
Term Description Link(s)
Alias Another email address that people can use to email
App Password An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate An account with assigned permissions to a mailbox.
Display Name Name that appears in the Address Book & on the TO and From lines on an email.
EAC "Exchange Admin Center"
@mgreen27
mgreen27 / Get-BinaryRename.ps1
Created Jun 1, 2019
Binary Rename static detection
View Get-BinaryRename.ps1
<#
.SYNOPSIS
Find BinaryRename of commonly abused Living off the Land Binaries
Name: Get-BinaryRename.ps1
Date: 2019-05-31
Version: 0.2
Author: Matt Green (@mgreen27)
Requirements:
Get-FileHash Powershell 4.0+
View Get-AMSIEvents.ps1
Function Get-AMSIEvents
{
<#
.SYNOPSIS
Get-AMSIEvents collects AMSI events during interval.
Name: Get-AMSIEvents.ps1
Version: 0.1
Date: 2019-05-26
You can’t perform that action at this time.