svch0stz

## recmd_kroll.reb
Author: "Andrew Rathbun"
Description: "Kroll RECmd Batch File"
Id: ecc582d5-a1b1-4256-ae64-ca2263b8f971
Keys:
  -
    Category: "System Info"
    Comment: "Displays the username of the last user logged in to this system"
    Description: WinLogon
    HiveType: SOFTWARE
    KeyPath: "Microsoft\\Windows NT\\CurrentVersion\\WinLogon"

## DetectRules.csv
eventlog,id,name,eventid,rule,ignore
powershell,win_powershell_web,T1059.001-PowerShell Web Request,^(4104)$,Invoke-WebRequest|iwr |wget |curl |Net.WebClient|Start-BitsTransfer,Get-SystemDriveInfo
powershell,win_powershell_suspicious_keywords,T1059.001-Suspicious Powershell Commandlets,^(200|400|800|4100|4103|4104)$,Invoke-Expression|IEX |-W Hidden|-WindowStyle Hidden|-nop |-noprofile|Set-StrictMode|RunAs32|rundll32|127\.0\.0\.1|System\.Reflection\.AssemblyName|System\.Reflection\.Emit\.AssemblyBuilderAccess|System\.Runtime\.InteropServices\.MarshalAsAttribute|memorystream|SuspendThread|GzipStream,chocolatey
powershell,win_powershell_base64,T1059.001-Use of Base64 Commands,^(200|400|800|4100|4103|4104)$,FromBase64String|EncodedCommand|-En |-Enc,
powershell,win_powershell_mimikatz,T1059.001-Mimikatz Execution via PowerShell,^(200|400|800|4100|4103|4104)$,TOKEN_PRIVILE|SE_PRIVILEGE_ENABLED|mimikatz|lsass\.dmp,
powershell,win_powershell_memoryloader,T1059.001-Loading Powershell in Memory,^(200|400|800|4100|4103|

## Cobalt Strike Named Pipe Regex.csv

          
            Regex
            Source

            
              MSSE-[0-9a-f]{3}-server
              Default Cobalt Strike Artifact Kit binaries

            
              status_[0-9a-f]{2}
              Default psexec_psh

            
              postex_ssh_[0-9a-f]{4}
              Default SSH beacon

            
              msagent_[0-9a-f]{2}
              Default SMB beacon

            
              postex_[0-9a-f]{4}
              Default Post Exploitation job (v4.2+)

            
              mojo.5688.8052.183894939787088877[0-9a-f]{2}
              jquery-c2.4.2.profile

            
              mojo.5688.8052.35780273329370473[0-9a-f]{2}
              jquery-c2.4.2.profile

            
              wkssvc[0-9a-f]{2}
              jquery-c2.4.2.profile

            
              ntsvcs[0-9a-f]{2}
              trick_ryuk.profile

## defenderwatch.ps1
$WMI = @{
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
    Action = {
	      #$Global:Data = $Event
        Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
    }
	Namespace = 'root\microsoft\windows\defender'
    SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI

## scanning_cobaltstrike_config.csv
ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark
185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325
185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325
213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0
213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr

## repo-reset.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                svch0stz
                / repo-reset.md
            
            
              Created
              February 13, 2021 14:06
                — forked from heiswayi/repo-reset.md
            
              
                GitHub - Delete commits history with git commands
              
          
    First Method

Deleting the .git folder may cause problems in our git repository. If we want to delete all of our commits history, but keep the code in its current state, try this:
# Check out to a temporary branch:
git checkout --orphan TEMP_BRANCH

# Add all the files:
git add -A


## winlogbeat-ship2helk.yml
#### Winlogbeat Evtx Shipper To HELK ####

# Usage: .\winlogbeat.exe -c .\winlogbeat-ship2helk.yml -e -E EVTX_FILE="C:\Dev\evtxfile2ship.evtx"

winlogbeat.event_logs:
 - name: ${EVTX_FILE}
   no_more_events: stop
winlogbeat.shutdown_timeout: 60s
winlogbeat.registry_file: evtx-registry.yml

## Merge-CSVFiles.ps1
# Usage: Merge-CSVFiles
# Usage: Merge-CSVFiles -Path C:\files\to\merge\ -Filter "*.csv" -OutputFile C:\Temp\merged.csv
# Combination of https://declanbright.com/downloads/Combine-Files.ps1 and https://gallery.technet.microsoft.com/scriptcenter/CombineMerge-multiple-CSV-23a53e83

function Merge-CSVFiles {
[cmdletbinding()]
param(
    [string]$Path = ".",
	  [string]$Filter = "*.csv",
    [string]$OutputFile = "c:\Temp\Merged_$(get-date -f yyyy-MM-dd_HHmmss).csv"

## Just Another List of PowerShell Commands.txt
//Get AD Password Information — Can be used to find stale accounts or users that don’t require authentication
Get-ADUser -Properties Name,UserPrincipalName,Enabled,PasswordNeverExpires,PasswordExpired,PasswordNotRequired,AccountExpirationDate,PasswordLastSet | Export-csv userpasswordinfo.csv

//Get Admins with an SPN — Any account in this list are good targets for Kerberoasting attacks
Get-AdUser -filter {(ServicePrincipalName -like “*”) -AND (AdminCount -eq 1)} -Properties * | Select SAMAccountname,PasswordLastSet | Sort PasswordLastSet

//Get Email from List of usernames
Get-Content usernames.txt | Foreach-object { Get-ADUser $_ -Properties Name,UserPrincipalName,Enabled} | Export-csv output.csv

//Get Usernames from List of Emails

## osx-for-pentesting.sh
# OSX for Pentesting (Mavericks/Yosemite)
#
# A fork of OSX for Hackers (Original Source: https://gist.github.com/brandonb927/3195465)

#!/bin/sh

# Ask for the administrator password upfront

echo "Have you read through the script prior to running this? (y or n)"
read bcareful
	Author: "Andrew Rathbun"
	Description: "Kroll RECmd Batch File"
	Id: ecc582d5-a1b1-4256-ae64-ca2263b8f971
	Keys:
	-
	Category: "System Info"
	Comment: "Displays the username of the last user logged in to this system"
	Description: WinLogon
	HiveType: SOFTWARE
	KeyPath: "Microsoft\\Windows NT\\CurrentVersion\\WinLogon"
	eventlog,id,name,eventid,rule,ignore
	powershell,win_powershell_web,T1059.001-PowerShell Web Request,^(4104)$,Invoke-WebRequest\|iwr \|wget \|curl \|Net.WebClient\|Start-BitsTransfer,Get-SystemDriveInfo
	powershell,win_powershell_suspicious_keywords,T1059.001-Suspicious Powershell Commandlets,^(200\|400\|800\|4100\|4103\|4104)$,Invoke-Expression\|IEX \|-W Hidden\|-WindowStyle Hidden\|-nop \|-noprofile\|Set-StrictMode\|RunAs32\|rundll32\|127\.0\.0\.1\|System\.Reflection\.AssemblyName\|System\.Reflection\.Emit\.AssemblyBuilderAccess\|System\.Runtime\.InteropServices\.MarshalAsAttribute\|memorystream\|SuspendThread\|GzipStream,chocolatey
	powershell,win_powershell_base64,T1059.001-Use of Base64 Commands,^(200\|400\|800\|4100\|4103\|4104)$,FromBase64String\|EncodedCommand\|-En \|-Enc,
	powershell,win_powershell_mimikatz,T1059.001-Mimikatz Execution via PowerShell,^(200\|400\|800\|4100\|4103\|4104)$,TOKEN_PRIVILE\|SE_PRIVILEGE_ENABLED\|mimikatz\|lsass\.dmp,
	powershell,win_powershell_memoryloader,T1059.001-Loading Powershell in Memory,^(200\|400\|800\|4100\|4103\|
	Regex	Source
	MSSE-[0-9a-f]{3}-server	Default Cobalt Strike Artifact Kit binaries
	status_[0-9a-f]{2}	Default psexec_psh
	postex_ssh_[0-9a-f]{4}	Default SSH beacon
	msagent_[0-9a-f]{2}	Default SMB beacon
	postex_[0-9a-f]{4}	Default Post Exploitation job (v4.2+)
	mojo.5688.8052.183894939787088877[0-9a-f]{2}	jquery-c2.4.2.profile
	mojo.5688.8052.35780273329370473[0-9a-f]{2}	jquery-c2.4.2.profile
	wkssvc[0-9a-f]{2}	jquery-c2.4.2.profile
	ntsvcs[0-9a-f]{2}	trick_ryuk.profile
	$WMI = @{
	Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
	Action = {
	#$Global:Data = $Event
	Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
	}
	Namespace = 'root\microsoft\windows\defender'
	SourceIdentifier = "Defender.DisableRealtimeMonitoring"
	}
	$Null = Register-WMIEvent @WMI
	ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark
	185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325
	185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325
	213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0
	213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr
	#### Winlogbeat Evtx Shipper To HELK ####

	# Usage: .\winlogbeat.exe -c .\winlogbeat-ship2helk.yml -e -E EVTX_FILE="C:\Dev\evtxfile2ship.evtx"

	winlogbeat.event_logs:
	- name: ${EVTX_FILE}
	no_more_events: stop
	winlogbeat.shutdown_timeout: 60s
	winlogbeat.registry_file: evtx-registry.yml
	# Usage: Merge-CSVFiles
	# Usage: Merge-CSVFiles -Path C:\files\to\merge\ -Filter "*.csv" -OutputFile C:\Temp\merged.csv
	# Combination of https://declanbright.com/downloads/Combine-Files.ps1 and https://gallery.technet.microsoft.com/scriptcenter/CombineMerge-multiple-CSV-23a53e83

	function Merge-CSVFiles {
	[cmdletbinding()]
	param(
	[string]$Path = ".",
	[string]$Filter = "*.csv",
	[string]$OutputFile = "c:\Temp\Merged_$(get-date -f yyyy-MM-dd_HHmmss).csv"
	//Get AD Password Information — Can be used to find stale accounts or users that don’t require authentication
	Get-ADUser -Properties Name,UserPrincipalName,Enabled,PasswordNeverExpires,PasswordExpired,PasswordNotRequired,AccountExpirationDate,PasswordLastSet \| Export-csv userpasswordinfo.csv

	//Get Admins with an SPN — Any account in this list are good targets for Kerberoasting attacks
	Get-AdUser -filter {(ServicePrincipalName -like “”) -AND (AdminCount -eq 1)} -Properties \| Select SAMAccountname,PasswordLastSet \| Sort PasswordLastSet

	//Get Email from List of usernames
	Get-Content usernames.txt \| Foreach-object { Get-ADUser $_ -Properties Name,UserPrincipalName,Enabled} \| Export-csv output.csv

	//Get Usernames from List of Emails
	# OSX for Pentesting (Mavericks/Yosemite)
	#
	# A fork of OSX for Hackers (Original Source: https://gist.github.com/brandonb927/3195465)

	#!/bin/sh

	# Ask for the administrator password upfront

	echo "Have you read through the script prior to running this? (y or n)"
	read bcareful