Purp1eW0lf

# stupid overengineered solution
$ErrorActionPreference= 'silentlycontinue'; 
$value = gp "REGISTRY::HKEY_USERS\*\Software\Sysinternals\PsExec";
$SID = $value.PsPath -split '\',4,'SimpleMatch' | select-string -pattern "S-" | % { $_.Line }
$NAME = gwmi win32_useraccount | ? SID -match $SID | select -expandproperty Name;
if ($value.EulaAccepted -eq 0){} else { write-host -NoNewline "`n Registry confirms PsExec used by "; write-host "$Name`n" -ForegroundColor magenta}

Purp1eW0lf

# Download and use script
 wget -usebasicparsing https://raw.githubusercontent.com/mgreen27/Invoke-LiveResponse/master/Content/Other/Get-BAMParser.ps1 -outfile Get-BAMParser.ps1;
./Get-BAMParser.ps1 | out-string

# run and look at BAM manually
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s

Purp1eW0lf

gwmi win32_useraccount | 
select Name, SID | 
? SID -match "" #insert SID between quotes 

Purp1eW0lf

wget -usebasicparsing https://f001.backblazeb2.com/file/EricZimmermanTools/PECmd.zip -outfile PECmd.zip ; 
Expand-Archive ./PECmd.zip . ; 
ls *.exe, *.pf  

Purp1eW0lf

<#
Meta
    Date: 2022 June 30th
    Authors: Dray Agha (Twitter @purp1ew0lf)
    Company: Huntress Labs
    Purpose: Automate setting up Sysmon with Florian Roth's ruleset. 
    Sysmon log can be found in C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
#>

function admin_check{

Purp1eW0lf

<#
Meta
    Date: 2023 January 7th
    Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf)
    Company: Huntress Labs
    Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. 
    Notes: 
        Will trigger AV as it's technically credential dumping. 
        Also relies on having internet access, to wget TSCopy
        Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy

Purp1eW0lf

# Make the schtask for the test
schtasks /create /tn "Find_Me" /tr calc.exe /sc minute /mo 100 /k

# Loop and parse \Taskcache\Tasks Registry location for scheduled tasks
  ## Parses Actions to show the underlying binary / commands for the schtask
  ## Could replace Actions with Trigggers on line 10, after ExpandedProperty
(Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\*").PSChildName | 
Foreach-Object {
  write-host "----Schtask ID is $_---" -ForegroundColor Magenta ;
  $hexstring = (Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\$_" | Select -ExpandProperty Actions) -join ',' ;

Purp1eW0lf

#Run as Administrator, copy/paste the below

# Mount HKU  
mount -PSProvider Registry -Name HKU -Root HKEY_USERS;

# Loop through each HKU/user's HKCU, AND deploy OneNote defences 
(gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | 
Foreach-Object {New-ItemProperty -Path $_ -Name "disableembeddedfiles" -Value 1 -type DWORD -verbose};

(gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | 

Purp1eW0lf

#run as Administrator, copy/paste the below

New-ItemProperty -Path  "HKLM:\SOFTWARE\Classes\Windows.IsoFile\shell\mount" -Name "ProgrammaticAccessOnly" -type string -verbose;

New-ItemProperty -Path  "HKLM:\SOFTWARE\Classes\Windows.VhdFile\shell\mount" -Name "ProgrammaticAccessOnly" -type string -verbose

Purp1eW0lf

#run as Administrator, copy/paste the below 

# Mount HKU  
mount -PSProvider Registry -Name HKU -Root HKEY_USERS;

# Loop through each HKU/user's HKCU, loop though each Office version and application, and implement defences
(gci -path "HKU:\*\Software\Microsoft\Office\*\*\Security\").PsPath | 
Foreach-Object {Set-ItemProperty -path $_ -name "blockcontentexecutionfrominternet" -value 1 -Type DWord -verbose}