| Term | Description | Link(s) |
|---|---|---|
| Alias | Another email address that people can use to email | |
| App Password | An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application. | |
| Alternate email address | Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users | |
| AuditAdmin | ||
| AuditDelegate | ||
| Delegate | An account with assigned permissions to a mailbox. | |
| Display Name | Name that appears in the Address Book & on the TO and From lines on an email. | |
| EAC | "Exchange Admin Center" |
Matthew Green mgreen27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Frontend": { | |
| "hostname": "", | |
| "bind_address": "0.0.0.0", | |
| "bind_port": 443, | |
| "public_path": "/opt/velociraptor/PUBLICTEMPLATE", | |
| "default_client_monitoring_artifacts": [ | |
| "Generic.Client.Stats" | |
| ], | |
| "dyn_dns": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Packs.HAFNIUM.Windows.WebshellSearch | |
| author: Matt Green - @mgreen27 | |
| description: | | |
| This artifact will hunt for Webshells associated with the HAFNIUM campaign as | |
| reported by Microsoft and Volexity. | |
| The default artifact will discover all ASPX files on C: then run a preconfigured | |
| yara rule. Yara can be supplied by the YaraRule parameter or alternatively a | |
| URL can be set to enable download of remote rule set. | |
mgreen27
/ buildLocalLR.sh
Last active
October 1, 2021 20:25
Velociraptor local live response configuration files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Author: Matt Green - @mgreen27 | |
| # Description: script to download and build x64 and x86 Velociraptor local live response tool | |
| # 3rd party binaries embedded in output files | |
| # Linux requirements: wget, curl, zip | |
| # Tested: Velociraptor 0.3.7 | |
| # latest Velociraptor release binary from github | |
| LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)" |
mgreen27
/ EDR_Killer.ps1
Last active
October 18, 2021 16:12
WMI EventConsumer to disable EDR (or other tools) tools when installed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell 2.0 | |
| # Name: EDR_Killer.ps1 | |
| # Version: 1.0 | |
| # Author: @mgreen27 | |
| # Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed. | |
| # Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
| # Set Variables | |
| $Name = 'EDR_Killer' | |
| $Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Server.Malware.JoeSandbox | |
| description: | | |
| This is a POC to submit a sample to JoesSandbox. | |
| No options beyont TAC and API have been configured. | |
| type: SERVER | |
| parameters: | |
| - name: JoeSandboxUrl | |
| default: https://www.joesandbox.com/api/v2/submission/new |
mgreen27
/ o365-kb.md
Last active
November 29, 2021 01:20
— forked from hiddenillusion/o365-kb.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.ETW.Testing | |
| description: | | |
| This artifact uses the ETW provider: | |
| Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} | |
| type: CLIENT_EVENT | |
| parameters: | |
| - name: FilePathRegex | |
| description: "FilePath regex filter for" |
mgreen27
/ ActiveScriptEventConsumer.ps1
Last active
January 13, 2022 01:22
PowerShell script to install an ActiveScriptEventConsumer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell 2.0+ | |
| # Description: Powershell script to add Event Consumer | |
| # Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
| # Set Variables | |
| $Name = 'StagingLocation_Example' | |
| $Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"' | |
| $EventNamespace = 'root/cimv2' | |
| $Class = 'ActiveScriptEventConsumer' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Extract unallocated with TSK | |
| # Version: 0.1 | |
| # Date: 2020-05-14 | |
| # Author: @mgreen27 | |
| # Instructions | |
| # 1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH | |
| # or remove comment for hardcoded image name and path |
mgreen27
/ 00_ntfs.ps1
Last active
July 11, 2022 16:06
— forked from scudette/extended_attributes.ps1
Auscert 2022 Exercise setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### NTFS exercise setup | |
| ## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
| $downloads = ( | |
| "https://live.sysinternals.com/PsExec64.exe", | |
| "https://live.sysinternals.com/procdump64.exe", | |
| "https://live.sysinternals.com/sdelete64.exe", | |
| "https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
| ) |