Skip to content

Instantly share code, notes, and snippets.

View MHaggis's full-sized avatar
:shipit:

Michael Haag MHaggis

:shipit:
633 followers · 96 following
View GitHub Profile
@MHaggis
MHaggis / Scan-LOLDrivers.ps1
Created May 19, 2023 16:29
it works - but use with caution :) it's a bit noisy and I think it's broken
function Scan-LOLDrivers {
param(
[Parameter(Mandatory=$true)]
[string]$path
)
Add-Type -TypeDefinition @"
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
@MHaggis
MHaggis / snake_queuefile.ps1
Created May 10, 2023 16:42
# Define the typical path of the Snake Queue File
$filePath = "$env:windir\registration\"
# Create the folder if it doesn't exist
$null = New-Item -Path $filePath -ItemType Directory -Force
# Generate a random GUID
$guid = [guid]::NewGuid().ToString()
# Define the file name using the generated GUID and the regex pattern
@MHaggis
MHaggis / Windows-TerminalServices-RemoteConnectionManager.md
Created April 17, 2023 20:58

To collect Windows-TerminalServices-RemoteConnectionManager/Operational, add the following to a inputs.conf

We've found that multiline data parses better natively without having to create a props/transforms.

[WinEventLog://Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
disabled = False
renderXml = False
index = win
@MHaggis
MHaggis / bootloader.md
Last active May 9, 2023 00:46 
# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
[powershell://bootloader]
script = (bcdedit /enum /v) -split "-------------------" | % { if ($_ -match "path\s+(.+)") { Write-Output "Path: $($matches[1])" }; if ($_ -match "identifier\s+(.+)") { Write-Output "Identifier: $($matches[1])" }; if ($_ -match "description\s+(.+)") { Write-Output "Description: $($matches[1])" } }
schedule = 0 0 * * *
#schedule = */5 * * * *
sourcetype = PwSh:bootloader
index=win
@MHaggis
MHaggis / tscon
Created March 29, 2023 20:44
# Remote host
$remoteHost = "mswin-server.attackrange.local"
# Get query user output from remote host
$queryUserOutput = (quser /SERVER:$remoteHost)
# Parse disconnected sessions
$disconnectedSessionRegex = '^\s*(\S+)\s+(\d+)\s+.*\s+Disc\s+'
$disconnectedSessions = @($queryUserOutput | Where-Object { $_ -match $disconnectedSessionRegex } | ForEach-Object {
@{
@MHaggis
MHaggis / GPOInventory.md
Created March 29, 2023 17:30

GPO Inventory

[powershell://GPOInventory]
script = Get-GPO -All | Select-Object DisplayName, Id, GpoStatus, Description, UserVersion, ComputerVersion, CreationTime, ModificationTime | ConvertTo-Csv -NoTypeInformation | Write-Output
schedule = 0 0 * * *
#schedule = */1 * * * *
sourcetype = PwSh:GPOInventory
index=win
@MHaggis
MHaggis / blockeddrivers-vt-annotated.xml
Created March 6, 2023 21:00 — forked from wdormann/blockeddrivers-vt-annotated.xml
Microsoft recommended driver block rules, but annotated with samples that are present in VirusTotal
<ns0:SiPolicy xmlns:ns0="urn:schemas-microsoft-com:sipolicy">
<ns0:VersionEx>10.0.25290.0</ns0:VersionEx>
<ns0:PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</ns0:PlatformID>
<ns0:Rules>
<ns0:Rule>
<ns0:Option>Enabled:Unsigned System Integrity Policy</ns0:Option>
</ns0:Rule>
<ns0:Rule>
<ns0:Option>Enabled:Advanced Boot Options Menu</ns0:Option>
</ns0:Rule>
@MHaggis
MHaggis / ioc_vulnerable_drivers.csv
Created March 1, 2023 03:46 — forked from k4nfr3/ioc_vulnerable_drivers.csv
IOC vulnerable drivers
We can make this file beautiful and searchable if this error is corrected: It looks like row 9 should actually have 4 columns, instead of 2 in line 8.
SHA256,Name,Signer,Description
04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys
@MHaggis
MHaggis / Driver Inventory.md
Last active September 28, 2023 22:57

Inputs.conf


###
# Modify cron schedule as you like. Default is once daily. 
# Modify index as needed.
# We recommend this method over the other options provided.
###
[powershell://DriverInventory]
@MHaggis
MHaggis / Enable Microsoft-IIS-Configuration Operational.md
Last active January 3, 2023 17:15
Reference: https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/

Want to identify new IIS modules installed?

Enable Logging

  • Lists additional logs available for IIS: wevtutil el | findstr -i IIS
  • Configuration for the selected log: wevtutil gl Microsoft-IIS-Configuration/Operational
  • Enable the selected log: wevtutil sl /e:true Microsoft-IIS-Configuration/Operational

Once enabled, make a new Splunk App and deploy.

Inputs.conf