Skip to content

Instantly share code, notes, and snippets.

View scudette's full-sized avatar
🦕
Digital Paleontologist

Mike Cohen scudette

🦕
Digital Paleontologist
View GitHub Profile
@scudette
scudette / analysis.md
Created September 27, 2023 12:42
Velociraptor CTF Preparations

Scoping the environment

What users are logging into machines?

Windows.Sys.AllUsers

SELECT Name, UUID, Mtime, count()
FROM source(artifact="Windows.Sys.AllUsers")
WHERE Name
@scudette
scudette / Generic.Search.PDF.yaml
Created June 1, 2023 09:43
An artifact that can search a PDF
name: Generic.Search.PDF
description: |
This artifact searches PDF files for a keyword.
parameters:
- name: PDFGlob
default: /tmp/*.pdf
description: A glob to find PDF files
- name: YaraRule
type: yara
@scudette
scudette / disk_remapping.yaml
Created August 24, 2022 04:06
A Sample remapping configuration for raw disk access.
remappings:
- type: permissions
permissions:
- COLLECT_CLIENT
- FILESYSTEM_READ
- FILESYSTEM_WRITE
- READ_RESULTS
- MACHINE_STATE
- SERVER_ADMIN
- type: impersonation
@scudette
scudette / extended_attributes.ps1
Created May 9, 2022 00:42 — forked from mgreen27/00_ntfs.ps1
Auscert 2022 NTFS Exercise setup
### Extended Attribute
# 1. Download https://github.com/jschicht/EaTools to C:\PerfLogs (this step was run previously if you ran our setup script)
https://github.com/jschicht/EaTools/raw/master/EaInject64.exe
https://github.com/jschicht/EaTools/raw/master/EaQuery64.exe
# 2. Add EA to file
copy C:\Windows\System32\calc.exe C:\PerfLogs\calc.exe
C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\calc.exe /Container:C:\PerfLogs\just_a_file.txt /Mode:0 /Identifier:NOTHINGTOSEEHERE
@scudette
scudette / extended_attributes.ps1
Last active May 8, 2022 05:17
Auscert 2022 NTFS Exercise setup
### Extended Attribute
# 1. Download https://github.com/jschicht/EaTools to C:\PerfLogs (this step was run previously if you ran our setup script)
https://github.com/jschicht/EaTools/raw/master/EaInject64.exe
https://github.com/jschicht/EaTools/raw/master/EaQuery64.exe
# 2. Add EA to file
copy C:\Windows\System32\calc.exe C:\PerfLogs\calc.exe
C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\calc.exe /Container:C:\PerfLogs\just_a_file.txt /Mode:0 /Identifier:NOTHINGTOSEEHERE
@scudette
scudette / remapping.yaml
Created March 23, 2022 06:50
Sample flat disk image remapping configuration
remappings:
- type: permissions
permissions:
- COLLECT_CLIENT
- FILESYSTEM_READ
- FILESYSTEM_WRITE
- READ_RESULTS
- MACHINE_STATE
- SERVER_ADMIN
- type: impersonation
@scudette
scudette / mapping.csv
Last active November 11, 2021 11:46
Mapping between Sysmon fields and ECS
Sysmon Field ECS Field
System.EventID maps to event.type = "start"
EventData.Image strip directory part and store in `process.name`
EventData.OriginalFileName stored in `process.pe.original_file_name`
EventData.CommandLine is split into array and stored in `process.args`
SELECT "C:/" + FullPath AS FullPath,
InUse,FileName,FileSize,
dict(
Created0x10 = Created0x10,
LastModified0x10 = LastModified0x10,
LastRecordChange0x10 = LastRecordChange0x10,
LastAccess0x10 = LastAccess0x10
) as SI,
dict(
@scudette
scudette / Custom.GDPRCheck.yaml
Last active June 4, 2021 16:38
Artifact to check for GDPR Compliance
name: Custom.Windows.Audit.SCA
sources:
- query: |
LET results <= SELECT * FROM chain(
id0_0={
SELECT 14500 AS ID,
'''Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' ''' AS Title,
get(field='''LimitBlankPasswordUse''') AS ActualValue,
'''1''' AS ExpectedValue,
@scudette
scudette / Custom.Windows.ETW.DNSQueries.yaml
Created February 14, 2021 11:54
Artifact to watch dns queries using ETW
name: Custom.Windows.ETW.DNSQueries
type: CLIENT_EVENT
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT System.TimeStamp AS Timestamp,
EventData.QueryName AS Query,