Beercow

Keybase proof

I hereby claim:

• I am beercow on github.
• I am beercow (https://keybase.io/beercow) on keybase.
• I have a public key whose fingerprint is 9501 0FD3 AF08 DF20 B68A DA77 28C3 1FB1 7677 4021

To claim this, I am signing this object:

Beercow

### Keybase proof

I hereby claim:

  * I am beercow on github.
  * I am beercow (https://keybase.io/beercow) on keybase.
  * I have a public key ASAJTCOoPPRdcXdy_uePSyojq5R5VwRMVWxg07cSkEX0JAo

To claim this, I am signing this object:

Beercow

#requires -Module ActiveDirectory
 
<#
        .SYNOPSIS
        This script queries multiple Active Directory groups for new members in a domain.  It records group membership
        in a CSV file in the same location as the script is located. On the script's initial run it will simply record
        all members of all groups into this CSV file.  On subsequent runs it will query each group's member list and compare
        that list to what's in the CSV file.  If any differences are found (added or removed) the script will update the
        CSV file to reflect current memberships and notify an administrator of which members were either added or removed.
        .NOTES

Beercow

<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.1
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

Beercow

<!-- 
   This is a Microsoft Sysmon configuation to be used on Windows workstations
   v0.1 
   Florian Roth (with the help and ideas of others)
   
   The focus of this configuration is 
   - malware detection (execution)
   - malware detection (network connections)
   - exploit detection
   It is not focussed on 

Beercow

#!/usr/bin/python

import re
import os,sys
import pefile
import struct
import zipfile
import hashlib
import StringIO
from Crypto import Random

Beercow

#!/usr/bin/env python
#author Beercow

import dpkt, re, base64, sys

def decodeb64(data):
    data = base64.b64decode(str(data))
    return data

def decodexor(data):

Beercow

1. Install Notepad++ (check "set as default HTML editor" to replace Notepad in IE).

2. Run Notepad++, update its plugins, and install "NppExec" via Plugins, Plugin Manager.

3. Download DBGpPlugin . Place in C:\Program Files (x86)\Notepad++\plugins\DBGpPlugin

4. Use this link to download a modified version of the Komodo Remote Debugging Package. Place in plugin directory. (Unmodified Komodo package does not work with DBGpPlugin) Also contains DBGpPlugin

5. Enter these scripts for Python debugging:

   Press F6 to create a NppExec Execute script, save as "Run Python":

   cd "$(CURRENT_DIRECTORY)"
   

Beercow

[General]
SoftwareCount=21
GroupCount=3
Name=Eric Zimmerman Tools

[Group0]
name=Command-Line Utilities

[Group1]
name=GUI Utilities

Beercow

$provider = get-winevent -ListProvider *
$Collection =@()
foreach ($entry in $provider)
    {
    foreach ($object in $entry.events)
       {
       foreach ($log in $entry.LogLinks.LogName)
            {
            [xml]$data = $object.Template
            foreach ($DataType in $data.template.data.name)