mgreen27

## Plaso stuff

# log2timeline
docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME

# parsers can be targeted or skipped with --parsers command
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME 
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME 

mgreen27

function Get-KerberosTicketGrantingTicket
{
    <# __CYberCX__
    .SYNOPSIS

    Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

    .DESCRIPTION

    Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.

mgreen27

function Get-KerberosTicketCache
{
    <# __CyberCX__

    Author: Jared Atkinson (@_jaredca_tkinson)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None

    .EXAMPLE

mgreen27

#!/bin/bash
# 
# Author: Matt Green - @mgreen27
# Description: script to download and build x64 and x86 Velociraptor local live response tool
# 3rd party binaries embedded in output files
# Linux requirements: wget, curl, zip
# Tested: Velociraptor 0.3.7

# latest Velociraptor release binary from github
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest  | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)"

mgreen27

Term	Description	Link(s)
Alias	Another email address that people can use to email
App Password	An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address	Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate	An account with assigned permissions to a mailbox.
Display Name	Name that appears in the Address Book & on the TO and From lines on an email.
EAC	"Exchange Admin Center"

mgreen27

<#
.SYNOPSIS
    Find BinaryRename of commonly abused Living off the Land Binaries

    Name: Get-BinaryRename.ps1
    Date: 2019-05-31
    Version: 0.2
    Author: Matt Green (@mgreen27)
    Requirements:
        Get-FileHash Powershell 4.0+

mgreen27

Function Get-AMSIEvents 
{
    <#
    .SYNOPSIS
    	Get-AMSIEvents collects AMSI events during interval.
    
        Name: Get-AMSIEvents.ps1
        Version: 0.1
        Date: 2019-05-26

mgreen27

<#
.SYNOPSIS
    WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection

    Name: WMIEvent-BinaryRename.ps1
    Version: 1.0
    Author: Matt Green (@mgreen27)
    

.DESCRIPTION

mgreen27

<#
.SYNOPSIS
    Invoke-CLSIDParser.ps1 parses COM CLSID entries from HKEY_LOCAL_MACHINE and HKEY_USERS registry hives.
    
    Name: Invoke-CLSIDParser.ps1
    Version: 0.1
    Author: Matt Green (@mgreen27)

.DESCRIPTION
    Researchers have recently written about several use cases for code execution and persistance utilising COM (Component Object Model) hijacking.

mgreen27

# PowerShell 2.0
# Name: EDR_Killer.ps1
# Version: 1.0
# Author: @mgreen27
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a

# Set Variables
$Name = 'EDR_Killer'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'