This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-KerberosTicketGrantingTicket | |
{ | |
<# __CYberCX__ | |
.SYNOPSIS | |
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
.DESCRIPTION | |
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Plaso stuff | |
# log2timeline | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME | |
# parsers can be targeted or skipped with --parsers command | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Packs.HAFNIUM.Windows.WebshellSearch | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will hunt for Webshells associated with the HAFNIUM campaign as | |
reported by Microsoft and Volexity. | |
The default artifact will discover all ASPX files on C: then run a preconfigured | |
yara rule. Yara can be supplied by the YaraRule parameter or alternatively a | |
URL can be set to enable download of remote rule set. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.System.KB5000871 | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will check for KB5000871 in system Uninstall keys. | |
KB5000871 is not visible via Get-Hotfix or Systeminfo so we need to query the | |
uninstall keys. Modify NameRegex to search for other installed applications. | |
reference: | |
- https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.EventLogs.Bitsadmin | |
author: "Matt Green - @mgreen27" | |
description: | | |
This content will extract BITS Transfer events and enable filtering by URL | |
reference: | |
- https://attack.mitre.org/techniques/T1197/ | |
- https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | |
parameters: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version='1.0' encoding='windows-1252'?> | |
<?define AppRegKey="Software\COMPANYNAME\TOOLNAME" ?> | |
<?define PackageDescription="COMPANYNAME TOOLNAME installer" ?> | |
<?define Manufacturer="COMPANYNAME" ?> | |
<?define Name="TOOLNAME" ?> | |
<?define Version="VERSION" ?> | |
<?define BinaryName="TOOLNAME.exe" ?> | |
<?define BinaryNamex86="TOOLNAMEx86.exe" ?> | |
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Frontend": { | |
"hostname": "", | |
"bind_address": "0.0.0.0", | |
"bind_port": 443, | |
"public_path": "/opt/velociraptor/PUBLICTEMPLATE", | |
"default_client_monitoring_artifacts": [ | |
"Generic.Client.Stats" | |
], | |
"dyn_dns": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Server.Malware.JoeSandbox | |
description: | | |
This is a POC to submit a sample to JoesSandbox. | |
No options beyont TAC and API have been configured. | |
type: SERVER | |
parameters: | |
- name: JoeSandboxUrl | |
default: https://www.joesandbox.com/api/v2/submission/new |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.ETW.Testing | |
description: | | |
This artifact uses the ETW provider: | |
Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} | |
type: CLIENT_EVENT | |
parameters: | |
- name: FilePathRegex | |
description: "FilePath regex filter for" |