This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Derived { | |
Param( | |
[String]$Class, | |
[String]$Namespace | |
) | |
if (-not [string]::IsNullOrEmpty($Class)) | |
{ | |
Get-WmiObject -List -Namespace $Namespace | Where-Object { $_.__SUPERCLASS -eq $Class -and (-not ($_.Name.StartsWith('__')) ) } | foreach { | |
Get-Derived -Class $_.__CLASS -Namespace $_.__NAMESPACE | |
$_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Invoke-CLSIDParser.ps1 parses COM CLSID entries from HKEY_LOCAL_MACHINE and HKEY_USERS registry hives. | |
Name: Invoke-CLSIDParser.ps1 | |
Version: 0.1 | |
Author: Matt Green (@mgreen27) | |
.DESCRIPTION | |
Researchers have recently written about several use cases for code execution and persistance utilising COM (Component Object Model) hijacking. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Get-AMSIEvents | |
{ | |
<# | |
.SYNOPSIS | |
Get-AMSIEvents collects AMSI events during interval. | |
Name: Get-AMSIEvents.ps1 | |
Version: 0.1 | |
Date: 2019-05-26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-KerberosTicketCache | |
{ | |
<# __CyberCX__ | |
Author: Jared Atkinson (@_jaredca_tkinson) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
.EXAMPLE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-KerberosTicketGrantingTicket | |
{ | |
<# __CYberCX__ | |
.SYNOPSIS | |
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
.DESCRIPTION | |
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Find BinaryRename of commonly abused Living off the Land Binaries | |
Name: Get-BinaryRename.ps1 | |
Date: 2019-05-31 | |
Version: 0.2 | |
Author: Matt Green (@mgreen27) | |
Requirements: | |
Get-FileHash Powershell 4.0+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.System.KB5000871 | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will check for KB5000871 in system Uninstall keys. | |
KB5000871 is not visible via Get-Hotfix or Systeminfo so we need to query the | |
uninstall keys. Modify NameRegex to search for other installed applications. | |
reference: | |
- https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version='1.0' encoding='windows-1252'?> | |
<?define AppRegKey="Software\COMPANYNAME\TOOLNAME" ?> | |
<?define PackageDescription="COMPANYNAME TOOLNAME installer" ?> | |
<?define Manufacturer="COMPANYNAME" ?> | |
<?define Name="TOOLNAME" ?> | |
<?define Version="VERSION" ?> | |
<?define BinaryName="TOOLNAME.exe" ?> | |
<?define BinaryNamex86="TOOLNAMEx86.exe" ?> | |
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.EventLogs.Bitsadmin | |
author: "Matt Green - @mgreen27" | |
description: | | |
This content will extract BITS Transfer events and enable filtering by URL | |
reference: | |
- https://attack.mitre.org/techniques/T1197/ | |
- https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | |
parameters: |
OlderNewer