Term | Description | Link(s) |
---|---|---|
Alias | Another email address that people can use to email | |
App Password | An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application. | |
Alternate email address | Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users | |
AuditAdmin | ||
AuditDelegate | ||
Delegate | An account with assigned permissions to a mailbox. | |
Display Name | Name that appears in the Address Book & on the TO and From lines on an email. | |
EAC | "Exchange Admin Center" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Frontend": { | |
"hostname": "", | |
"bind_address": "0.0.0.0", | |
"bind_port": 443, | |
"public_path": "/opt/velociraptor/PUBLICTEMPLATE", | |
"default_client_monitoring_artifacts": [ | |
"Generic.Client.Stats" | |
], | |
"dyn_dns": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Packs.HAFNIUM.Windows.WebshellSearch | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will hunt for Webshells associated with the HAFNIUM campaign as | |
reported by Microsoft and Volexity. | |
The default artifact will discover all ASPX files on C: then run a preconfigured | |
yara rule. Yara can be supplied by the YaraRule parameter or alternatively a | |
URL can be set to enable download of remote rule set. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Author: Matt Green - @mgreen27 | |
# Description: script to download and build x64 and x86 Velociraptor local live response tool | |
# 3rd party binaries embedded in output files | |
# Linux requirements: wget, curl, zip | |
# Tested: Velociraptor 0.3.7 | |
# latest Velociraptor release binary from github | |
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerShell 2.0 | |
# Name: EDR_Killer.ps1 | |
# Version: 1.0 | |
# Author: @mgreen27 | |
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed. | |
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
# Set Variables | |
$Name = 'EDR_Killer' | |
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Server.Malware.JoeSandbox | |
description: | | |
This is a POC to submit a sample to JoesSandbox. | |
No options beyont TAC and API have been configured. | |
type: SERVER | |
parameters: | |
- name: JoeSandboxUrl | |
default: https://www.joesandbox.com/api/v2/submission/new |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.ETW.Testing | |
description: | | |
This artifact uses the ETW provider: | |
Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} | |
type: CLIENT_EVENT | |
parameters: | |
- name: FilePathRegex | |
description: "FilePath regex filter for" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerShell 2.0+ | |
# Description: Powershell script to add Event Consumer | |
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
# Set Variables | |
$Name = 'StagingLocation_Example' | |
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"' | |
$EventNamespace = 'root/cimv2' | |
$Class = 'ActiveScriptEventConsumer' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Extract unallocated with TSK | |
# Version: 0.1 | |
# Date: 2020-05-14 | |
# Author: @mgreen27 | |
# Instructions | |
# 1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH | |
# or remove comment for hardcoded image name and path |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### NTFS exercise setup | |
## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
$downloads = ( | |
"https://live.sysinternals.com/PsExec64.exe", | |
"https://live.sysinternals.com/procdump64.exe", | |
"https://live.sysinternals.com/sdelete64.exe", | |
"https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
) |