mgreen27

## Plaso stuff

# log2timeline
docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME

# parsers can be targeted or skipped with --parsers command
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME 
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME 

mgreen27

-- Tag machines by name, modify for other tagging usecases
LET target_clients = ( 'machinename1','machinename2'... )

SELECT 
    os_info.hostname as Hostname,
    os_info.fqdn as Fqdn,
    os_info.release as OS,
    timestamp(epoch=first_seen_at) as FirstSeen,
    timestamp(epoch=last_seen_at) as LastSeen,
    last_ip,

mgreen27

<#
.SYNOPSIS
    WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection

    Name: WMIEvent-BinaryRename.ps1
    Version: 1.0
    Author: Matt Green (@mgreen27)
    

.DESCRIPTION

mgreen27

 ### NTFS exercise setup

## 1. download some files to test various content and add ADS to simulate manual download from a browser

$downloads = ( 
    "https://live.sysinternals.com/PsExec64.exe",
    "https://live.sysinternals.com/procdump64.exe",
    "https://live.sysinternals.com/sdelete64.exe",
    "https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe"
)

mgreen27

#!/bin/bash
# Extract unallocated with TSK

# Version: 0.1
# Date: 2020-05-14
# Author: @mgreen27

# Instructions
#   1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH
# or remove comment for hardcoded image name and path

mgreen27

# PowerShell 2.0+
# Description: Powershell script to add Event Consumer 
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a

# Set Variables
$Name = 'StagingLocation_Example'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"'
$EventNamespace = 'root/cimv2'
$Class = 'ActiveScriptEventConsumer'

mgreen27

name: Custom.ETW.Testing
description: |
    This artifact uses the ETW provider:
    Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} 

type: CLIENT_EVENT

parameters:
  - name: FilePathRegex
    description: "FilePath regex filter for"

mgreen27

name: Custom.Server.Malware.JoeSandbox
description: |
   This is a POC to submit a sample to JoesSandbox.
   No options beyont TAC and API have been configured.

type: SERVER

parameters:
   - name: JoeSandboxUrl
     default: https://www.joesandbox.com/api/v2/submission/new

mgreen27

# PowerShell 2.0
# Name: EDR_Killer.ps1
# Version: 1.0
# Author: @mgreen27
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a

# Set Variables
$Name = 'EDR_Killer'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'

mgreen27

#!/bin/bash
# 
# Author: Matt Green - @mgreen27
# Description: script to download and build x64 and x86 Velociraptor local live response tool
# 3rd party binaries embedded in output files
# Linux requirements: wget, curl, zip
# Tested: Velociraptor 0.3.7

# latest Velociraptor release binary from github
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest  | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)"