I hereby claim:
- I am phantinuss on github.
- I am phantinuss (https://keybase.io/phantinuss) on keybase.
- I have a public key ASDSqvzkEta_KwMLuw3mCc_BYBg5ubLrwTxHTDdA0zSUwQo
To claim this, I am signing this object:
phantinuss
phantinuss
/ keybase.md
Last active
December 2, 2021 16:03
phantinuss
/ grep-sysmon-win-eventlog-example.ps1
Last active
December 2, 2021 12:56
How to grep Windows Event Log / Sysmon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where { $_.TimeCreated -ge (Get-Date) - (New-TimeSpan -Day 1) } | where Id -EQ 1 | where Message -match "rundll32" | Format-List -Property Message | Out-String -Stream | Select-String -Pattern " CommandLine:" |
phantinuss
/ update-sysmon-files.ps1
Last active
December 8, 2021 10:13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Config1URL = "https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml" | |
| $Config1 = "sysmonconfig-export.xml" | |
| $Config2URL = "https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/configs/sysmon/sysmon.xml" | |
| $Config2 = "sysmonconfig-all.xml" | |
| # OS Arch for Exe | |
| $OsArch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture | |
| $SysmonExe = "Sysmon64.exe" | |
| if ($OsArch -match "32-Bit"){ $SysmonExe = "Sysmon.exe" } else {$SysmonExe = "Sysmon64.exe"} |
phantinuss
/ empty-pw-hashes
Created
July 26, 2021 10:23
Password Hashes of an empty password which can be found on the web
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - U6aMy0wojraho (ref: https://yougottahackthat.com/blog/339/what-is-aad3b435b51404eeaad3b435b51404ee) | |
| - $1$ADUODeAy$eCJ1lPSxhSGmSvrmWxjLC1 (ref: https://leo.leung.xyz/wiki/Create_a_Linux_User_with_an_Empty_Password) | |
| - $6$My.Salt3$s4o9CBY5VxinLAjgkTqCChti8intR7n.1rLg.ZsMOlXTdbcTtoJo/GVE7cqm5S4GSP4HOYncqcRBc81BIMInc/ (ref: https://eklausmeier.goip.de/blog/2014/07-07-creating-user-account-with-empty-password-on-linux/) |
phantinuss
/ cobaltstrike-profile-stats
Created
July 20, 2021 10:48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| It's ugly, but only intended to run it once. For reproducibility: | |
| 1. fetch data from https://gist.githubusercontent.com/MHaggis/6c600e524045a6d49c35291a21e10752/raw/9dd392bd5805386f021792264f93c42df44ddfb0/malleable_c2_profiles | |
| # while read -r line; do curl $line|grep "spawnto"; done < in.cobaltstrike-profiles > out.cobaltstrike-profile-targets | |
| 2. clean the data, make stats | |
| # cat out.cobaltstrike-profile-targets | awk '{$1=$1;print}' |grep -v "^#" | grep "set spawnto_" | grep -v "^job" |grep -Po "set spawnto_x.. \"(.*)\";" | cut -d\" -f2 | grep -Po "\\\([^\\\]*.exe)" | sort | uniq -c |sort -nr |