- Inventory Management
- Access Management
- Configuration Management
- Patch Management
- Logging and Monitoring
- Alerts
- Automated Remediation
- Keep it simple
function Export-MFT { | |
<# | |
.SYNOPSIS | |
Extracts master file table from volume. | |
Version: 0.1 | |
Author : Jesse Davis (@secabstraction) | |
License: BSD 3-Clause | |
.DESCRIPTION |
library(xml2) | |
library(purrr) | |
fil <- "https://gist.githubusercontent.com/hrbrmstr/f9c3bbc561e824219954ab5eecc12f2b/raw/65dad652d575b9c475559cbed86fceb5f0ff4d1b/books.xml" | |
doc <- read_xml(fil) | |
i <- 1 | |
walk(xml_find_all(doc, "//book"), function(x) { | |
writeLines(as.character(x), sprintf("out-%03d.xml", i)) | |
i <<- i + 1 |
function Get-RecentFiles{ | |
<# | |
.SYNOPSIS | |
Lists files in a user's Recent directory sorted by lastwritetime property. | |
.DESCRIPTION | |
The files returned in the specified user's Recent directory are .lnk files. Analyzing the | |
contents of the files will show what documents were accessed as Windows mantains a history |
function Get-Doppelgangers | |
{ | |
<# | |
.SYNOPSIS | |
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging' | |
Author: Joe Desimone (@dez_) | |
License: BSD 3-Clause | |
## | |
## A good excuse to learn LINQ in WinDbg. | |
## Author: Matt Suiche (@msuiche) - 18-Jan-2019 | |
## | |
## References: | |
## Extracting Forensic Script Content from PowerShell Process Dumps (Lee Holmes) - 17 Jan 2019 | |
## http://www.leeholmes.com/blog/2019/01/17/extracting-forensic-script-content-from-powershell-process-dumps/ | |
## Extracting Activity History from PowerShell Process Dumps (Lee Holmes) - 4 Jan 2019 | |
## https://www.leeholmes.com/blog/2019/01/04/extracting-activity-history-from-powershell-process-dumps/ | |
## |
#!/usr/bin/env python3 | |
# TROOPERS2019 | |
# @doegox | |
# The script will resize the image and convert it to BW image if needed but | |
# I would advise to do it yourself first with e.g. Gimp for a better control | |
# of the aspect ration and the BW threshold. | |
# Target: 296x128, black & white (no grey) | |
# Shall we display the result locally? |
Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
HELK is an interesting platform to carry endpoint threat hunting and is useful both in a production situation as well as for research and training. For research and training purposes a key part is to add sample data to be able to practice hunting queries.
Yes this could probably be done in a better way but the goal here was K.I.S.S. and quick and dirty.
Splunk provides sample data from it's BOSS of the SOC CTF. Both v1 and v2 has been published as open source, more info here. The v1 data is available on github here unfortunately it is formatted for ingestion into Splunk.
The goal is to import into the HELK platform which is based on an ELK stack (elasticsearch, logstash and kibana). Thankfully, Sébastien Lehuédé has converted the data and done th
"Initial Access","Execution","Persistence","Privilege Escalation","Defense Evasion","Credential Access","Discovery","Lateral Movement","Exfiltration","Impact" | |
ConsoleLogin,StartInstance,CreateAccessKey,CreateGroup,StopLogging,GetSecretValue,ListUsers,AssumeRole,CreateSnapShot,PutBucketVersioning | |
PasswordRecoveryRequested,StartInstances,CreateUser,CreateRole,DeleteTrail,GetPasswordData,ListRoles,SwitchRole,ModifySnapshotAttributes ,RunInstances | |
,Invoke,CreateNetworkAclEntry,UpdateAccessKey,UpdateTrail,RequestCertificate,ListIdentities,,ModifyImageAttribute,DeleteAccountPublicAccessBlock | |
,SendCommand,CreateRoute,PutGroupPolicy,PutEventSelectors,UpdateAssumeRolePolicy,ListAccessKeys,,SharedSnapshotCopyInitiated, | |
,,CreateLoginProfile,PutRolePolicy,DeleteFlowLogs,,ListServiceQuotas,,SharedSnapshotVolumeCreated, | |
,,AuthorizeSecurityGroupEgress,PutUserPolicy,DeleteDetector,,ListInstanceProfiles,,ModifyDBSnapshotAttribute, | |
,,AuthorizeSecurityGroupIngress,AddRoleToInstanceProfile,DeleteMembers,,ListBuckets,,PutBucketP |