Eric Capuano ecapuano
ecapuano
/ better_event_logging.ps1
Created
March 1, 2025 17:50
A PowerShell script for installing Sysmon and enabling best-practice audit logs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ================================================ | |
| # Sysmon & Windows Event Log Configuration Script | |
| # ================================================ | |
| # Check for administrative privileges | |
| $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent() | |
| $principal = New-Object Security.Principal.WindowsPrincipal($currentUser) | |
| if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
| Write-Host "This script requires administrative privileges. Please run as an administrator." -ForegroundColor Red | |
| exit 1 |
ecapuano
/ HashMorpher.ps1
Last active
December 19, 2024 02:36
interactive tutorial to better understand the difference between static hashes and fuzzy hashes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################# | |
| # Script: HashMorpher.ps1 | |
| # Author: Eric Capuano | |
| # Source: https://blog.ecapuano.com/p/the-role-of-fuzzy-hashes-in-security | |
| # Social: https://bsky.app/profile/eric.zip | |
| ######### What is this? ######### | |
| # | |
| # This script is an interactive tutorial to better understand the difference | |
| # between static hashes and fuzzy hashes | |
| # |
ecapuano
/ share_unshare_libraries.py
Created
November 12, 2023 23:00
Share specified libraries with all Plex users
ecapuano
/ sliver_broad.yara
Last active
October 30, 2023 04:51
Inspired by NCSC UK, but modified to be much less specific. Ref: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule sliver_strings { | |
| meta: | |
| author = "Eric Capuano, inspired by NCSC UK" | |
| description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)" | |
| strings: | |
| $p1 = "/sliver/" | |
| $p2 = "sliverpb" | |
| condition: | |
| all of ($p*) | |
| } |
ecapuano
/ sliver.yara
Created
October 30, 2023 02:43
Sliver YARA Sigs painfully extracted from this damn PDF: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule sliver_github_file_paths_function_names { | |
| meta: | |
| author = "NCSC UK" | |
| description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary" | |
| strings: | |
| $p1 = "/sliver/" | |
| $p2 = "sliverpb." | |
| $fn1 = "RevToSelfReq" | |
| $fn2 = "ScreenshotReq" | |
| $fn3 = "IfconfigReq" |
ecapuano
/ Windows.Destroy.System.yaml
Created
March 1, 2023 22:54
A Velociraptor artifact that causes a Windows system to self-destruct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Destroy.System | |
| description: | | |
| **WARNING! THIS IS HIGHLY DESTRUCTIVE!** | |
| Deletes ALL of the things. UNRECOVERABLE! | |
| First deletes sensitive areas (user profiles, event logs) then moves | |
| to wiping and zeroizing the entire C: drive. | |
| The system will ultimately fail before the process finishes, but the |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A retired winlogbeats config maintained by the Recon InfoSec SOC | |
| # contains most the higher value events needed for detection and response | |
| # should be tuned for your specific environment and log volume tolerance | |
| winlogbeat.event_logs: # Global Event Logs Config | |
| - name: Security | |
| ignore_older: 24h | |
| processors: | |
| - script: | |
| when.equals.winlog.channel: Security |
ecapuano
/ secrets.yara
Created
October 10, 2022 23:47
— forked from dustyfresh/secrets.yara
yara signatures converted from trufflehog regexes for identifying secrets in text files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Yara signatures for identifying secrets in text files. Requires libmagic! | |
| Mostly all stolen from Trufflehog regexes: | |
| - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json | |
| */ | |
| import "magic" |
ecapuano
/ gist:fc0cde0e9293bff8b01783cf8666d214
Created
June 1, 2022 00:23
Velociraptor Unsigned Processes w/VT Lookups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Run against hunt results from Windows.System.Pslist | |
| // Note: Returns ONLY unsigned processes, which minimizes less critical API calls | |
| // Use's the server side enrichment artifact 'Artifact.Server.Enrichment.Virustotal' from @therealwlambert | |
| LET VTKey <= "$apikey" | |
| LET Results = SELECT Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,Hash.SHA256 AS SHA256, Authenticode, Username FROM source() | |
| WHERE NOT Authenticode.Trusted = "trusted" // unsigned binaries | |
| LIMIT 50 | |
| SELECT *, {SELECT * FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results) |
ecapuano
/ wmi_event_consumer_stacking.txt
Last active
May 26, 2022 01:42
wmi_event_consumer_stacking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // run against results from Windows.Persistence.PermanentWMIEvents | |
| // https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml | |
| SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source() | |
| // filter common FPs | |
| WHERE ConsumerName != "BVTConsumer" | |
| AND ConsumerName != "SCM Event Log Consumer" | |
| AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer" | |
| AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer" | |
| AND ConsumerName != "CmdLineConsumer_WSCEAA" |
NewerOlder