Skip to content

Instantly share code, notes, and snippets.

@mgreen27
mgreen27 / setup_wireguard.sh
Last active June 26, 2024 01:29
Script to setup quick and dirty wireguard VPN server
#!/bin/bash
# This script sets up a WireGuard VPN server and generates a basic client configuration
# Exit immediately if a command exits with a non-zero status
set -e
# Check if run as root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root"
@mgreen27
mgreen27 / Find Internal IP
Created March 2, 2024 03:48
Notebook to find internal IP
LET find_flows(clientid,artifact) = SELECT *
FROM flatten(query={ SELECT client_id, session_id,artifacts_with_results,start_time,state FROM flows(client_id=clientid) })
WHERE artifacts_with_results = artifact
LIMIT 1 -- will collect latest
LET results = SELECT
client_id as ClientId,
os_info.hostname as Hostname,
os_info.fqdn as Fqdn,
@mgreen27
mgreen27 / MsiInstallerMetadata.yaml
Created January 8, 2024 07:26
Hacky way to find msi installer metadata in Velociraptor and not use powershell
name: Windows.System.MsiInstallerMetadata
author: Matt Green - @mgreen27
description: |
This artifact allows runs VBScript through cscript.exe and calculates MSI
installer metadata.
Not using powershell to minimise footprint, use notebook to search for metadata.
required_permissions:
- EXECVE
@mgreen27
mgreen27 / Patch-RDP.ps1
Last active November 4, 2023 09:18
DEATHcon 2023
Function Patch-RDP {
<#
.SYNOPSIS
Patch RDP to enable multiple RDP sessions on non RDP servers.
Name: patch_rdp.ps1
Version: 0.2
Author: Matt Green - @mgreen27
.DESCRIPTION
@mgreen27
mgreen27 / Run-TCGLogTools.ps1
Last active November 28, 2023 01:44
Run-TCGLogTools in Velociraptor
# This is a staging file for Running TCGLogTools in Velociraptor
Import-Module $Env:TCGLogTools
$TCGLog = ls $Env:TCGLogLocation | ConvertTo-TCGEventLog -MinimizedX509CertInfo
$TCGCurrentBytes = Get-TCGLogContent -LogType SRTMCurrent
$TCGLog = $TCGLog + $(ConvertTo-TCGEventLog -LogBytes $TCGCurrentBytes -MinimizedX509CertInfo)
$TCGLog | ConvertTo-Json -Depth 8
@mgreen27
mgreen27 / update.sh
Created August 30, 2023 00:53
Velociraptor server update
#!/bin/bash
# Update install script
# run ./update.sh velociraptor-v0.6.4-dev-linux-amd64
# firslt backup old installer
#mv *.deb old/
# next make binary executable
sudo chmod +x $1
@mgreen27
mgreen27 / Get-InjectedThreadEx.ps1
Last active February 21, 2023 12:16
Get-InjectedThreadEx for use in Velociraptor
function Get-InjectedThreadEx
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@mgreen27
mgreen27 / impact.vql
Last active February 16, 2023 05:59
Vql ransomware impact scoping Windows.NTFS.MFT
/*
### Drive Ransom note stats
*/
SELECT
strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
FileName as RansomeNote,
--min(item=Created0x10) as EarliestCreation,
--max(item=Created0x10) as LatestCreation,
min(item=LastModified0x10) as EarliestModified,
max(item=LastModified0x10) as LatestModified,
@mgreen27
mgreen27 / 01_ntfs.ps1
Last active November 6, 2022 04:16
DEATHcon Exercises
### NTFS exercise setup
## 1. download some files to test various content and add ADS to simulate manual download from a browser
$downloads = (
"https://live.sysinternals.com/PsExec64.exe",
"https://live.sysinternals.com/procdump64.exe",
"https://live.sysinternals.com/sdelete64.exe"
)
@mgreen27
mgreen27 / group_machines.vql
Last active September 21, 2022 02:26
Velociraptor admin
-- Tag machines by name, modify for other tagging usecases
LET target_clients = ( 'machinename1','machinename2'... )
SELECT
os_info.hostname as Hostname,
os_info.fqdn as Fqdn,
os_info.release as OS,
timestamp(epoch=first_seen_at) as FirstSeen,
timestamp(epoch=last_seen_at) as LastSeen,
last_ip,