This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### NTFS exercise setup | |
## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
$downloads = ( | |
"https://live.sysinternals.com/PsExec64.exe", | |
"https://live.sysinternals.com/procdump64.exe", | |
"https://live.sysinternals.com/sdelete64.exe", | |
"https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Extract unallocated with TSK | |
# Version: 0.1 | |
# Date: 2020-05-14 | |
# Author: @mgreen27 | |
# Instructions | |
# 1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH | |
# or remove comment for hardcoded image name and path |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- add API key here | |
LET APIKey = 'REDACTED' | |
-- firstly Materialize all entries for performance | |
LET all_entries <= SELECT | |
Fqdn,ClientId, | |
`Entry Location` as EntryLocation, | |
Entry,Enabled,Profile,Description,Company, | |
`Image Path` as ImagePath, | |
Version, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- Tag machines by name, modify for other tagging usecases | |
LET target_clients = ( 'machinename1','machinename2'... ) | |
SELECT | |
os_info.hostname as Hostname, | |
os_info.fqdn as Fqdn, | |
os_info.release as OS, | |
timestamp(epoch=first_seen_at) as FirstSeen, | |
timestamp(epoch=last_seen_at) as LastSeen, | |
last_ip, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### NTFS exercise setup | |
## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
$downloads = ( | |
"https://live.sysinternals.com/PsExec64.exe", | |
"https://live.sysinternals.com/procdump64.exe", | |
"https://live.sysinternals.com/sdelete64.exe" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
### Drive Ransom note stats | |
*/ | |
SELECT | |
strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive, | |
FileName as RansomeNote, | |
--min(item=Created0x10) as EarliestCreation, | |
--max(item=Created0x10) as LatestCreation, | |
min(item=LastModified0x10) as EarliestModified, | |
max(item=LastModified0x10) as LatestModified, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-InjectedThreadEx | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Update install script | |
# run ./update.sh velociraptor-v0.6.4-dev-linux-amd64 | |
# firslt backup old installer | |
#mv *.deb old/ | |
# next make binary executable | |
sudo chmod +x $1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a staging file for Running TCGLogTools in Velociraptor | |
Import-Module $Env:TCGLogTools | |
$TCGLog = ls $Env:TCGLogLocation | ConvertTo-TCGEventLog -MinimizedX509CertInfo | |
$TCGCurrentBytes = Get-TCGLogContent -LogType SRTMCurrent | |
$TCGLog = $TCGLog + $(ConvertTo-TCGEventLog -LogBytes $TCGCurrentBytes -MinimizedX509CertInfo) | |
$TCGLog | ConvertTo-Json -Depth 8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Patch-RDP { | |
<# | |
.SYNOPSIS | |
Patch RDP to enable multiple RDP sessions on non RDP servers. | |
Name: patch_rdp.ps1 | |
Version: 0.2 | |
Author: Matt Green - @mgreen27 | |
.DESCRIPTION |