Matthew Green mgreen27
mgreen27
/ 00_ntfs.ps1
Last active
July 11, 2022 16:06
— forked from scudette/extended_attributes.ps1
Auscert 2022 Exercise setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### NTFS exercise setup | |
| ## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
| $downloads = ( | |
| "https://live.sysinternals.com/PsExec64.exe", | |
| "https://live.sysinternals.com/procdump64.exe", | |
| "https://live.sysinternals.com/sdelete64.exe", | |
| "https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Extract unallocated with TSK | |
| # Version: 0.1 | |
| # Date: 2020-05-14 | |
| # Author: @mgreen27 | |
| # Instructions | |
| # 1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH | |
| # or remove comment for hardcoded image name and path |
mgreen27
/ enrichment.vql
Last active
October 5, 2022 17:32
Velocon 2022 - Notebook and VQL: Data munging your way to victory!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- add API key here | |
| LET APIKey = 'REDACTED' | |
| -- firstly Materialize all entries for performance | |
| LET all_entries <= SELECT | |
| Fqdn,ClientId, | |
| `Entry Location` as EntryLocation, | |
| Entry,Enabled,Profile,Description,Company, | |
| `Image Path` as ImagePath, | |
| Version, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Tag machines by name, modify for other tagging usecases | |
| LET target_clients = ( 'machinename1','machinename2'... ) | |
| SELECT | |
| os_info.hostname as Hostname, | |
| os_info.fqdn as Fqdn, | |
| os_info.release as OS, | |
| timestamp(epoch=first_seen_at) as FirstSeen, | |
| timestamp(epoch=last_seen_at) as LastSeen, | |
| last_ip, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### NTFS exercise setup | |
| ## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
| $downloads = ( | |
| "https://live.sysinternals.com/PsExec64.exe", | |
| "https://live.sysinternals.com/procdump64.exe", | |
| "https://live.sysinternals.com/sdelete64.exe" | |
| ) |
mgreen27
/ impact.vql
Last active
February 16, 2023 05:59
Vql ransomware impact scoping Windows.NTFS.MFT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ### Drive Ransom note stats | |
| */ | |
| SELECT | |
| strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive, | |
| FileName as RansomeNote, | |
| --min(item=Created0x10) as EarliestCreation, | |
| --max(item=Created0x10) as LatestCreation, | |
| min(item=LastModified0x10) as EarliestModified, | |
| max(item=LastModified0x10) as LatestModified, |
mgreen27
/ Get-InjectedThreadEx.ps1
Last active
February 21, 2023 12:16
Get-InjectedThreadEx for use in Velociraptor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThreadEx | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Update install script | |
| # run ./update.sh velociraptor-v0.6.4-dev-linux-amd64 | |
| # firslt backup old installer | |
| #mv *.deb old/ | |
| # next make binary executable | |
| sudo chmod +x $1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is a staging file for Running TCGLogTools in Velociraptor | |
| Import-Module $Env:TCGLogTools | |
| $TCGLog = ls $Env:TCGLogLocation | ConvertTo-TCGEventLog -MinimizedX509CertInfo | |
| $TCGCurrentBytes = Get-TCGLogContent -LogType SRTMCurrent | |
| $TCGLog = $TCGLog + $(ConvertTo-TCGEventLog -LogBytes $TCGCurrentBytes -MinimizedX509CertInfo) | |
| $TCGLog | ConvertTo-Json -Depth 8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Patch-RDP { | |
| <# | |
| .SYNOPSIS | |
| Patch RDP to enable multiple RDP sessions on non RDP servers. | |
| Name: patch_rdp.ps1 | |
| Version: 0.2 | |
| Author: Matt Green - @mgreen27 | |
| .DESCRIPTION |