The following instructions are for running Bloodhound CE in docker via Windows PowerShell.
** WARNING: Your install will be different. Adjust commands accordingly. **
Check the BH CE Docker Compose Instructions First and if you have issues: https://support.bloodhoundenterprise.io/hc/en-us/articles/17468450058267-Install-BloodHound-Community-Edition-with-Docker-Compose
Started here to manually parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers
Windows jq is an executable that is downloaded and the download is JUST the executable and not an installer. For these examples the executable has been moved to the local directory and renamed 'jq.exe'.
Get jq: https://jqlang.github.io/jq/
| ######################## | |
| # Get-ServicesExePerms.ps1: Test the permissions for the service executables and directories. | |
| # Author: Don C. Weber (cutaway) | |
| # Date: 20240723 | |
| # | |
| ######################## | |
| $sf = (Get-CimInstance -ClassName Win32_Service).PathName | ForEach-Object { ( ( ( $_ -Split '.exe' )[0] -replace '^"') + '.exe' ).tolower() } | Sort-Object | Get-Unique | ForEach-Object { if ( Test-Path -Path "$_" -PathType Leaf ) { $_ } } | |
| #$rights = @("FullControl","Modify","Write","Read","ReadAndExecute","Synchronize") |
| ###################### | |
| # Sim-PSEncFiles.ps1: Simulate file encrption using PSRemoting | |
| # Purpose: This PS script will encrypt all of the files in a target | |
| # folder to a selected location. The purpose of this script | |
| # is to perform actions similar to the actions performed by | |
| # ransomware. These actions will touch a large number of files, | |
| # create new files with different extension, and encrypt the | |
| # file to a new location. The original file is not modified | |
| # | |
| # Author: Don C. Weber (cutaway) |
| from mitmproxy import http | |
| import paramiko | |
| # Original Example: https://stackoverflow.com/questions/27369144/use-mitmproxy-to-translate-a-form-key-value-to-a-body-post | |
| DEBUG = False | |
| #DEBUG = True | |
| class GetRTUCreds: | |
| localhost = '127.0.0.1' |
PCAPs Resources
• Download PCAPs
○ Free PCAPS: https://www.netresec.com/?page=PcapFiles
○ SecRepo: https://www.secrepo.com/
• ICS Port Numbers
○ IPv4 Multicast Addresses
§ https://www.iana.org/assignments/multicast-addresses/multicast-addresses.txt
○ Old Digital Bond: https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md
| Disable Windows Defender | |
| NOTE: These settings may be permeant. | |
| • Get-MpComputerStatus | |
| • Set-MpPreference -DisableRealtimeMonitoring $true | |
| • Set-MpPreference -DisableBehaviorMonitoring $true | |
| • Set-MpPreference -DisableIntrusionPreventionSystem $true | |
| • Set-MpPreference -DisableIOAVProtection $true | |
| • Set-MpPreference -DisableScriptScanning $true | |
| • Get-MpComputerStatus |
| ########################### | |
| # Bash ~/.bashrc | |
| ########################### | |
| function CONPS() { | |
| n=$1 | |
| export PS1='\n$n \D{%F %T}\n> ' | |
| } | |
| alias consult00='CONPS Consult00; cd ~/Documents/consult00' |
| #!/bin/bash | |
| ipt4='/sbin/iptables' | |
| ipt6='/sbin/ip6tables' | |
| for i in $ipt4 $ipt6; do | |
| # Flush Rules | |
| echo 'Flushing IPTables: ' $i | |
| $i -F | |
| $i -X |
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |