This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Extract unallocated with TSK | |
# Version: 0.1 | |
# Date: 2020-05-14 | |
# Author: @mgreen27 | |
# Instructions | |
# 1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH | |
# or remove comment for hardcoded image name and path |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### NTFS exercise setup | |
## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
$downloads = ( | |
"https://live.sysinternals.com/PsExec64.exe", | |
"https://live.sysinternals.com/procdump64.exe", | |
"https://live.sysinternals.com/sdelete64.exe", | |
"https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.ETW.Testing | |
description: | | |
This artifact uses the ETW provider: | |
Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} | |
type: CLIENT_EVENT | |
parameters: | |
- name: FilePathRegex | |
description: "FilePath regex filter for" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Server.Malware.JoeSandbox | |
description: | | |
This is a POC to submit a sample to JoesSandbox. | |
No options beyont TAC and API have been configured. | |
type: SERVER | |
parameters: | |
- name: JoeSandboxUrl | |
default: https://www.joesandbox.com/api/v2/submission/new |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Frontend": { | |
"hostname": "", | |
"bind_address": "0.0.0.0", | |
"bind_port": 443, | |
"public_path": "/opt/velociraptor/PUBLICTEMPLATE", | |
"default_client_monitoring_artifacts": [ | |
"Generic.Client.Stats" | |
], | |
"dyn_dns": { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version='1.0' encoding='windows-1252'?> | |
<?define AppRegKey="Software\COMPANYNAME\TOOLNAME" ?> | |
<?define PackageDescription="COMPANYNAME TOOLNAME installer" ?> | |
<?define Manufacturer="COMPANYNAME" ?> | |
<?define Name="TOOLNAME" ?> | |
<?define Version="VERSION" ?> | |
<?define BinaryName="TOOLNAME.exe" ?> | |
<?define BinaryNamex86="TOOLNAMEx86.exe" ?> | |
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.EventLogs.Bitsadmin | |
author: "Matt Green - @mgreen27" | |
description: | | |
This content will extract BITS Transfer events and enable filtering by URL | |
reference: | |
- https://attack.mitre.org/techniques/T1197/ | |
- https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | |
parameters: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.System.KB5000871 | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will check for KB5000871 in system Uninstall keys. | |
KB5000871 is not visible via Get-Hotfix or Systeminfo so we need to query the | |
uninstall keys. Modify NameRegex to search for other installed applications. | |
reference: | |
- https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Packs.HAFNIUM.Windows.WebshellSearch | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will hunt for Webshells associated with the HAFNIUM campaign as | |
reported by Microsoft and Volexity. | |
The default artifact will discover all ASPX files on C: then run a preconfigured | |
yara rule. Yara can be supplied by the YaraRule parameter or alternatively a | |
URL can be set to enable download of remote rule set. | |