This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Plaso stuff | |
# log2timeline | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME | |
# parsers can be targeted or skipped with --parsers command | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- Tag machines by name, modify for other tagging usecases | |
LET target_clients = ( 'machinename1','machinename2'... ) | |
SELECT | |
os_info.hostname as Hostname, | |
os_info.fqdn as Fqdn, | |
os_info.release as OS, | |
timestamp(epoch=first_seen_at) as FirstSeen, | |
timestamp(epoch=last_seen_at) as LastSeen, | |
last_ip, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection | |
Name: WMIEvent-BinaryRename.ps1 | |
Version: 1.0 | |
Author: Matt Green (@mgreen27) | |
.DESCRIPTION |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### NTFS exercise setup | |
## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
$downloads = ( | |
"https://live.sysinternals.com/PsExec64.exe", | |
"https://live.sysinternals.com/procdump64.exe", | |
"https://live.sysinternals.com/sdelete64.exe", | |
"https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Extract unallocated with TSK | |
# Version: 0.1 | |
# Date: 2020-05-14 | |
# Author: @mgreen27 | |
# Instructions | |
# 1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH | |
# or remove comment for hardcoded image name and path |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerShell 2.0+ | |
# Description: Powershell script to add Event Consumer | |
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
# Set Variables | |
$Name = 'StagingLocation_Example' | |
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"' | |
$EventNamespace = 'root/cimv2' | |
$Class = 'ActiveScriptEventConsumer' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.ETW.Testing | |
description: | | |
This artifact uses the ETW provider: | |
Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} | |
type: CLIENT_EVENT | |
parameters: | |
- name: FilePathRegex | |
description: "FilePath regex filter for" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Server.Malware.JoeSandbox | |
description: | | |
This is a POC to submit a sample to JoesSandbox. | |
No options beyont TAC and API have been configured. | |
type: SERVER | |
parameters: | |
- name: JoeSandboxUrl | |
default: https://www.joesandbox.com/api/v2/submission/new |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerShell 2.0 | |
# Name: EDR_Killer.ps1 | |
# Version: 1.0 | |
# Author: @mgreen27 | |
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed. | |
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
# Set Variables | |
$Name = 'EDR_Killer' | |
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Author: Matt Green - @mgreen27 | |
# Description: script to download and build x64 and x86 Velociraptor local live response tool | |
# 3rd party binaries embedded in output files | |
# Linux requirements: wget, curl, zip | |
# Tested: Velociraptor 0.3.7 | |
# latest Velociraptor release binary from github | |
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)" |