Jonathan Johnson jsecurity101
jsecurity101
/ LogonSessionProcesses.ps1
Created
September 27, 2022 21:40
Updated version of Lee Christensen's (@tifkin_) Get-LogonSessionProcesses script which will obtain information regarding processes tied to a given LogonID and with it any network connections that process may have.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){ | |
| $TypeDef = @' | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace TokenInformation { | |
| [Flags] | |
| public enum ProcessAccess { | |
| All = 0x001FFFFF, | |
| Terminate = 0x00000001, | |
| CreateThread = 0x00000002, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Author: Jonathan Johnson | |
| Data pulled via winnt.h / LookupPrivilegeValue | |
| SE_CREATE_TOKEN_NAME / SeCreateTokenPrivilege / 2 | |
| SE_ASSIGNPRIMARYTOKEN_NAME / SeAssignPrimaryTokenPrivilege / 3 | |
| SE_LOCK_MEMORY_NAME / SeLockMemoryPrivilege / 4 | |
| SE_INCREASE_QUOTA_NAME / SeIncreateQuotoPrivilege / 5 | |
| SE_MACHINE_ACCOUNT_NAME / SeMachineAccountPrivilege / 6 | |
| SE_TCB_NAME / SeTcbPrivilege / 7 | |
| SE_SECURITY_NAME / SeSecurityPrivilege/ 8 |
jsecurity101
/ KerberosCorrelation.ipynb
Last active
May 28, 2024 22:40
Kerberos Detection/Investigation
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ ProtectionChecks.ps1
Last active
March 28, 2025 21:53
Powershell script that will pull whether a process or service is running as protected (PPL).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Author: Jonthan Johnson (@jsecurity101) | |
| if (-not ('ProtectedObjects.ProcessNativeMethods' -as [Type])) { | |
| $TypeDef = @' | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace ProtectedObjects { | |
| [Flags] | |
| public enum ProcessAccess { |
jsecurity101
/ Get-IntegrityLevel.ps1
Last active
April 10, 2025 12:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){ | |
| $TypeDef = @' | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace TokenInformation { | |
| [Flags] | |
| public enum ProcessAccess { | |
| All = 0x001FFFFF, | |
| Terminate = 0x00000001, |
jsecurity101
/ Prevent_Relay_RPC_Filter.txt
Last active
February 13, 2023 02:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rpc | |
| filter | |
| add rule layer=um actiontype=permit | |
| add condition field=if_uuid matchtype=equal data=<uuidguid> | |
| add condition field=auth_type matchtype=equal data=16 | |
| add condition field=auth_level matchtype=equal data=6 | |
| add filter | |
| add rule layer=um actiontype=block | |
| add condition field=if_uuid matchtype=equal data=<uuidguid> | |
| add filter |
jsecurity101
/ rpc-mapping.json
Created
September 20, 2021 15:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "RPC to Technique Mapping", | |
| "versions": { | |
| "attack": "9", | |
| "navigator": "4.4.1", | |
| "layer": "4.2" | |
| }, | |
| "domain": "enterprise-attack", | |
| "description": "", | |
| "filters": { |
jsecurity101
/ Netsync.ipynb
Last active
October 30, 2020 02:18
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Remote_Service_Creation.ipynb
Created
July 1, 2020 14:50
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
jsecurity101
/ Venator.ipynb
Created
July 1, 2020 14:46
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.