Beercow

import csv
import yaml
import argparse
import os
import sys

filenames = []


def main():

Beercow

Enumerate USBSTOR:

Get-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* |Select `
@{ n = 'Vendor'; e= { ((($_.PSParentPath -split '[\\]')[-1] -split '[&]')[-3] -split 'Ven_')[-1] } }, `
@{ n = 'Product'; e= { ((($_.PSParentPath -split '[\\]')[-1] -split '[&]')[-2] -split 'Prod_')[-1] } }, `
@{ n = 'Version'; e= { ((($_.PSParentPath -split '[\\]')[-1] -split '[&]')[-1] -split 'Rev_')[-1] } }, `
@{ n = 'Serial_Number'; e= { ($_.PSPath -split '[\\]')[-1] } }, `
@{ n = 'Unique_Serial'; e= { if ((($_.PSPath -split '[\\]')[-1]) -like '?&*'){"No"} else {"Yes"} } } | Format-Table

Enumerate MountedDevices:

Beercow

$provider = get-winevent -ListProvider *
$Collection =@()
foreach ($entry in $provider)
    {
    foreach ($object in $entry.events)
       {
       foreach ($log in $entry.LogLinks.LogName)
            {
            [xml]$data = $object.Template
            foreach ($DataType in $data.template.data.name)

Beercow

[General]
SoftwareCount=21
GroupCount=3
Name=Eric Zimmerman Tools

[Group0]
name=Command-Line Utilities

[Group1]
name=GUI Utilities

Beercow

1. Install Notepad++ (check "set as default HTML editor" to replace Notepad in IE).

2. Run Notepad++, update its plugins, and install "NppExec" via Plugins, Plugin Manager.

3. Download DBGpPlugin . Place in C:\Program Files (x86)\Notepad++\plugins\DBGpPlugin

4. Use this link to download a modified version of the Komodo Remote Debugging Package. Place in plugin directory. (Unmodified Komodo package does not work with DBGpPlugin) Also contains DBGpPlugin

5. Enter these scripts for Python debugging:

   Press F6 to create a NppExec Execute script, save as "Run Python":

   cd "$(CURRENT_DIRECTORY)"
   

Beercow

#!/usr/bin/env python
#author Beercow

import dpkt, re, base64, sys

def decodeb64(data):
    data = base64.b64decode(str(data))
    return data

def decodexor(data):

Beercow

#!/usr/bin/python

import re
import os,sys
import pefile
import struct
import zipfile
import hashlib
import StringIO
from Crypto import Random

Beercow

<!-- 
   This is a Microsoft Sysmon configuation to be used on Windows workstations
   v0.1 
   Florian Roth (with the help and ideas of others)
   
   The focus of this configuration is 
   - malware detection (execution)
   - malware detection (network connections)
   - exploit detection
   It is not focussed on 

Beercow

<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.1
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

Beercow

#requires -Module ActiveDirectory
 
<#
        .SYNOPSIS
        This script queries multiple Active Directory groups for new members in a domain.  It records group membership
        in a CSV file in the same location as the script is located. On the script's initial run it will simply record
        all members of all groups into this CSV file.  On subsequent runs it will query each group's member list and compare
        that list to what's in the CSV file.  If any differences are found (added or removed) the script will update the
        CSV file to reflect current memberships and notify an administrator of which members were either added or removed.
        .NOTES