# Modify for your environment. Make sure the sourcetype matches the analytic as needed.
[powershell://bootloader]
script = (bcdedit /enum /v) -split "-------------------" | % { if ($_ -match "path\s+(.+)") { Write-Output "Path: $($matches[1])" }; if ($_ -match "identifier\s+(.+)") { Write-Output "Identifier: $($matches[1])" }; if ($_ -match "description\s+(.+)") { Write-Output "Description: $($matches[1])" } }
schedule = 0 0 * * *
#schedule = */5 * * * *
sourcetype = PwSh:bootloader
index=win
MHaggis
/ bootloader.md
Last active
May 9, 2023 00:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Remote host | |
| $remoteHost = "mswin-server.attackrange.local" | |
| # Get query user output from remote host | |
| $queryUserOutput = (quser /SERVER:$remoteHost) | |
| # Parse disconnected sessions | |
| $disconnectedSessionRegex = '^\s*(\S+)\s+(\d+)\s+.*\s+Disc\s+' | |
| $disconnectedSessions = @($queryUserOutput | Where-Object { $_ -match $disconnectedSessionRegex } | ForEach-Object { | |
| @{ |
MHaggis
/ GPOInventory.md
Created
March 29, 2023 17:30
GPO Inventory
[powershell://GPOInventory]
script = Get-GPO -All | Select-Object DisplayName, Id, GpoStatus, Description, UserVersion, ComputerVersion, CreationTime, ModificationTime | ConvertTo-Csv -NoTypeInformation | Write-Output
schedule = 0 0 * * *
#schedule = */1 * * * *
sourcetype = PwSh:GPOInventory
index=win
MHaggis
/ blockeddrivers-vt-annotated.xml
Created
March 6, 2023 21:00
— forked from wdormann/blockeddrivers-vt-annotated.xml
Microsoft recommended driver block rules, but annotated with samples that are present in VirusTotal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ns0:SiPolicy xmlns:ns0="urn:schemas-microsoft-com:sipolicy"> | |
| <ns0:VersionEx>10.0.25290.0</ns0:VersionEx> | |
| <ns0:PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</ns0:PlatformID> | |
| <ns0:Rules> | |
| <ns0:Rule> | |
| <ns0:Option>Enabled:Unsigned System Integrity Policy</ns0:Option> | |
| </ns0:Rule> | |
| <ns0:Rule> | |
| <ns0:Option>Enabled:Advanced Boot Options Menu</ns0:Option> | |
| </ns0:Rule> |
MHaggis
/ ioc_vulnerable_drivers.csv
Created
March 1, 2023 03:46
— forked from k4nfr3/ioc_vulnerable_drivers.csv
IOC vulnerable drivers
We can make this file beautiful and searchable if this error is corrected: It looks like row 9 should actually have 4 columns, instead of 2 in line 8.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SHA256,Name,Signer,Description | |
| 04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """, | |
| 05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows | |
| 4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows | |
| 6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows | |
| 8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows | |
| B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows | |
| 7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO | |
| 7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys |
MHaggis
/ Driver Inventory.md
Last active
September 28, 2023 22:57
Inputs.conf
###
# Modify cron schedule as you like. Default is once daily.
# Modify index as needed.
# We recommend this method over the other options provided.
###
[powershell://DriverInventory]
MHaggis
/ Enable Microsoft-IIS-Configuration Operational.md
Last active
January 3, 2023 17:15
Reference: https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
Want to identify new IIS modules installed?
- Lists additional logs available for IIS:
wevtutil el | findstr -i IIS - Configuration for the selected log:
wevtutil gl Microsoft-IIS-Configuration/Operational - Enable the selected log:
wevtutil sl /e:true Microsoft-IIS-Configuration/Operational
MHaggis
/ POORTRY.md
Created
December 15, 2022 22:37
Some drivers from https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
Path Verified Date Publisher Company Description Product Product Version File Version Machine Type
05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4 Signed 1:43 AM 8/21/2022 Microsoft Windows Hardware Compatibility Publisher n/a n/a n/a n/a n/a 64-bit
42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25 Signed 7:20 AM 8/9/2022 Microsoft Windows Hardware Compatibility Publisher Sense5 CORP Sense5 Driver n/a 2.5.0.0 2.5.0.0 64-bit
575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316 Signed 4:40 AM 8/23/2022 Microsoft Windows Hardware Compatibility Publisher n/a n/a n/a n/a n/a 64-bit
6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1 Signed 8:03 AM 8/19/2022 Microsoft Windows Hardware Compatibility Publisher n/a n/a n/a n/a n/a 64-bit
6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421 Signed 7:33 AM 8/24/2022 Microsoft Windows Hardware Compatibility Publisher n/a
MHaggis
/ phosporus.ps1
Created
December 14, 2022 17:35
Single endpoint execution of Phosphorus - https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Import Invoke-Atomic | |
| Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force | |
| #Create Scheduled Task | |
| $sch_arg = @{'time' = '10:59'} | |
| Invoke-AtomicTest T1078.001 -TestGuids 42f53695-ad4a-4546-abb6-7d837f644a71 -InputArgs $sch_arg | |
| #Create a multi-enpoint PS Session and store | |
| #$sesh = New-PSSession -ComputerName AVIATO-DC01,OV-WKST-1,OV-WKST-2,EXCHANGE16 -Credential (Get-Credential) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [WinEventLog://MSExchange Management] | |
| index=win | |
| sourcetype=MSExchange:management | |
| disabled = 0 |