Skip to content

Instantly share code, notes, and snippets.

View mgreen27's full-sized avatar

Matthew Green mgreen27

136 followers · 56 following
View GitHub Profile
@mgreen27
mgreen27 / Find Internal IP
Created March 2, 2024 03:48
Notebook to find internal IP
LET find_flows(clientid,artifact) = SELECT *
FROM flatten(query={ SELECT client_id, session_id,artifacts_with_results,start_time,state FROM flows(client_id=clientid) })
WHERE artifacts_with_results = artifact
LIMIT 1 -- will collect latest
LET results = SELECT
client_id as ClientId,
os_info.hostname as Hostname,
os_info.fqdn as Fqdn,
@mgreen27
mgreen27 / MsiInstallerMetadata.yaml
Created January 8, 2024 07:26
Hacky way to find msi installer metadata in Velociraptor and not use powershell
name: Windows.System.MsiInstallerMetadata
author: Matt Green - @mgreen27
description: |
This artifact allows runs VBScript through cscript.exe and calculates MSI
installer metadata.
Not using powershell to minimise footprint, use notebook to search for metadata.
required_permissions:
- EXECVE
@mgreen27
mgreen27 / Run-TCGLogTools.ps1
Last active November 28, 2023 01:44
Run-TCGLogTools in Velociraptor
# This is a staging file for Running TCGLogTools in Velociraptor
Import-Module $Env:TCGLogTools
$TCGLog = ls $Env:TCGLogLocation | ConvertTo-TCGEventLog -MinimizedX509CertInfo
$TCGCurrentBytes = Get-TCGLogContent -LogType SRTMCurrent
$TCGLog = $TCGLog + $(ConvertTo-TCGEventLog -LogBytes $TCGCurrentBytes -MinimizedX509CertInfo)
$TCGLog | ConvertTo-Json -Depth 8
@mgreen27
mgreen27 / Patch-RDP.ps1
Last active November 4, 2023 09:18
DEATHcon 2023
Function Patch-RDP {
<#
.SYNOPSIS
Patch RDP to enable multiple RDP sessions on non RDP servers.
Name: patch_rdp.ps1
Version: 0.2
Author: Matt Green - @mgreen27
.DESCRIPTION
@mgreen27
mgreen27 / update.sh
Created August 30, 2023 00:53
Velociraptor server update
#!/bin/bash
# Update install script
# run ./update.sh velociraptor-v0.6.4-dev-linux-amd64
# firslt backup old installer
#mv *.deb old/
# next make binary executable
sudo chmod +x $1
@mgreen27
mgreen27 / Get-InjectedThreadEx.ps1
Last active February 21, 2023 12:16
Get-InjectedThreadEx for use in Velociraptor
function Get-InjectedThreadEx
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@mgreen27
mgreen27 / impact.vql
Last active February 16, 2023 05:59
Vql ransomware impact scoping Windows.NTFS.MFT
/*
### Drive Ransom note stats
*/
SELECT
strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive,
FileName as RansomeNote,
--min(item=Created0x10) as EarliestCreation,
--max(item=Created0x10) as LatestCreation,
min(item=LastModified0x10) as EarliestModified,
max(item=LastModified0x10) as LatestModified,
@mgreen27
mgreen27 / 01_ntfs.ps1
Last active November 6, 2022 04:16
DEATHcon Exercises
### NTFS exercise setup
## 1. download some files to test various content and add ADS to simulate manual download from a browser
$downloads = (
"https://live.sysinternals.com/PsExec64.exe",
"https://live.sysinternals.com/procdump64.exe",
"https://live.sysinternals.com/sdelete64.exe"
)
@mgreen27
mgreen27 / enrichment.vql
Last active October 5, 2022 17:32
Velocon 2022 - Notebook and VQL: Data munging your way to victory!
-- add API key here
LET APIKey = 'REDACTED'
-- firstly Materialize all entries for performance
LET all_entries <= SELECT
Fqdn,ClientId,
`Entry Location` as EntryLocation,
Entry,Enabled,Profile,Description,Company,
`Image Path` as ImagePath,
Version,
@mgreen27
mgreen27 / plaso.txt
Last active September 24, 2022 12:43
Plaso notes
## Plaso stuff
# log2timeline
docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME
# parsers can be targeted or skipped with --parsers command
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME