CaledoniaProject
CaledoniaProject
/ EmulateProcExpDotNetEnumeration.ps1
Created
August 11, 2018 09:42
— forked from mattifestation/EmulateProcExpDotNetEnumeration.ps1
Replicates the data collected when enumerating .NET Assemblies in Process Explorer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman start trace dotNetAssemblyTrace2 -p "Microsoft-Windows-DotNETRuntimeRundown" "LoaderRundownKeyword, StartRundownKeyword" win:Informational -o dotNetAssemblyTrace2.etl -ets | |
| Start-Sleep -Seconds 5 | |
| logman stop dotNetAssemblyTrace2 -ets | |
| $EnumeratedCLRRuntimes = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=187)]]' | |
| $EnumeratedAppDomains = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=157)]]' | |
| $EnumeratedAssemblies = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=155)]]' | |
| $EnumeratedModules = Get-WinEvent -Path .\dotNetAssemblyTrace2.etl -Oldest -FilterXPath '*[System[(EventID=153)]]' |
CaledoniaProject
/ example.cs
Created
August 10, 2018 03:12
Loads .NET Assembly into script host from current path
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.EnterpriseServices; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
CaledoniaProject
/ cbapi-ps-lsass-loop.py
Created
August 1, 2018 11:30
— forked from curi0usJack/cbapi-ps-lsass-loop.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Carbon Black Evil PowerShell LSASS Query | |
| # | |
| # Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe | |
| # | |
| # Author: Jason Lang (@curi0usJack) | |
| # | |
| # Prereqs (Windows 10) | |
| # Install bash on Win10 | |
| # sudo apt-get install python-pip | |
| # sudo pip install --upgrade requests |
CaledoniaProject
/ djb2.go
Created
July 22, 2018 14:37
— forked from lmas/djb2.go
djb2, a non-cryptographic hash function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package djb2 | |
| // For when you ever need to implement a dictionary hash function, | |
| // that's good enough, simple and fast. | |
| // | |
| // WARNING: | |
| // Not cryptographicly secure! | |
| // | |
| // Source: https://en.wikipedia.org/wiki/DJB2 | |
| // |
CaledoniaProject
/ GetPEFeature.ps1
Created
July 16, 2018 12:04
— forked from mattifestation/GetPEFeature.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter Get-PEFeature { | |
| <# | |
| .SYNOPSIS | |
| Retrieves key features from PE files that can be used to build detections. | |
| .DESCRIPTION | |
| Get-PEFeature extracts key features of PE files that are relevant to building detections. |
CaledoniaProject
/ auto_shellcode_hashes.py
Created
July 16, 2018 10:50
— forked from williballenthin/auto_shellcode_hashes.py
automatically resolve shellcode hashes into symbolic names using emulation, example: https://asciinema.org/a/uxzaceQ20DFYLJ0APL8sDuh0U
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import pefile | |
| import ucutils | |
| import unicorn | |
| import capstone | |
| import argparse |
CaledoniaProject
/ bucket-disclose.sh
Created
July 12, 2018 09:41
— forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
CaledoniaProject
/ SysmonEventGUIDParser.ps1
Created
July 9, 2018 00:03
— forked from mattifestation/SysmonEventGUIDParser.ps1
Extracts fields from sysmon process and logon GUIDs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| $Epoch = Get-Date '01/01/1970' | |
| # Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/ | |
| $StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName | |
| $TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone) | |
| # Parse out all the LogonGUID fields for sysmon ProcessCreate events | |
| Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object { |
CaledoniaProject
/ check_hashes.py
Created
July 6, 2018 03:08
— forked from bandrel/check_hashes.py
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| #Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller | |
| #Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH::: | |
| # ./check_hashes.py <hash_dump> | |
| import sys | |
| hashes = {} | |
| with open(sys.argv[1]) as infile: |
CaledoniaProject
/ wldp_interesting_rundll32_invocations.txt
Created
June 3, 2018 14:31
— forked from mattifestation/wldp_interesting_rundll32_invocations.txt
DLLs and export functions that wldp.dll finds interesting when invoked with rundll32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| StorageUsage.dll,GetStorageUsageInfo | |
| acmigration.dll,ApplyMigrationShims | |
| acproxy.DLL,PerformAutochkOperations | |
| ppioobe.dll,setupcalendaraccountforuser | |
| edgehtml.dll,#125 | |
| edgehtml.dll,#133 | |
| davclnt.dll,davsetcookie | |
| appxdeploymentextensions.onecore.dll,shellrefresh | |
| pla.dll,plahost | |
| aeinv.dll,updatesoftwareinventory |