Matthew Green mgreen27
mgreen27
/ setup_wireguard.sh
Last active
June 26, 2024 01:29
Script to setup quick and dirty wireguard VPN server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script sets up a WireGuard VPN server and generates a basic client configuration | |
| # Exit immediately if a command exits with a non-zero status | |
| set -e | |
| # Check if run as root | |
| if [ "$(id -u)" -ne 0 ]; then | |
| echo "This script must be run as root" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LET find_flows(clientid,artifact) = SELECT * | |
| FROM flatten(query={ SELECT client_id, session_id,artifacts_with_results,start_time,state FROM flows(client_id=clientid) }) | |
| WHERE artifacts_with_results = artifact | |
| LIMIT 1 -- will collect latest | |
| LET results = SELECT | |
| client_id as ClientId, | |
| os_info.hostname as Hostname, | |
| os_info.fqdn as Fqdn, |
mgreen27
/ MsiInstallerMetadata.yaml
Created
January 8, 2024 07:26
Hacky way to find msi installer metadata in Velociraptor and not use powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.System.MsiInstallerMetadata | |
| author: Matt Green - @mgreen27 | |
| description: | | |
| This artifact allows runs VBScript through cscript.exe and calculates MSI | |
| installer metadata. | |
| Not using powershell to minimise footprint, use notebook to search for metadata. | |
| required_permissions: | |
| - EXECVE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Patch-RDP { | |
| <# | |
| .SYNOPSIS | |
| Patch RDP to enable multiple RDP sessions on non RDP servers. | |
| Name: patch_rdp.ps1 | |
| Version: 0.2 | |
| Author: Matt Green - @mgreen27 | |
| .DESCRIPTION |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is a staging file for Running TCGLogTools in Velociraptor | |
| Import-Module $Env:TCGLogTools | |
| $TCGLog = ls $Env:TCGLogLocation | ConvertTo-TCGEventLog -MinimizedX509CertInfo | |
| $TCGCurrentBytes = Get-TCGLogContent -LogType SRTMCurrent | |
| $TCGLog = $TCGLog + $(ConvertTo-TCGEventLog -LogBytes $TCGCurrentBytes -MinimizedX509CertInfo) | |
| $TCGLog | ConvertTo-Json -Depth 8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Update install script | |
| # run ./update.sh velociraptor-v0.6.4-dev-linux-amd64 | |
| # firslt backup old installer | |
| #mv *.deb old/ | |
| # next make binary executable | |
| sudo chmod +x $1 |
mgreen27
/ Get-InjectedThreadEx.ps1
Last active
February 21, 2023 12:16
Get-InjectedThreadEx for use in Velociraptor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThreadEx | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
mgreen27
/ impact.vql
Last active
February 16, 2023 05:59
Vql ransomware impact scoping Windows.NTFS.MFT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ### Drive Ransom note stats | |
| */ | |
| SELECT | |
| strip(string=split(string=OSPath,sep=':')[0],prefix='''\\.\''') as Drive, | |
| FileName as RansomeNote, | |
| --min(item=Created0x10) as EarliestCreation, | |
| --max(item=Created0x10) as LatestCreation, | |
| min(item=LastModified0x10) as EarliestModified, | |
| max(item=LastModified0x10) as LatestModified, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### NTFS exercise setup | |
| ## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
| $downloads = ( | |
| "https://live.sysinternals.com/PsExec64.exe", | |
| "https://live.sysinternals.com/procdump64.exe", | |
| "https://live.sysinternals.com/sdelete64.exe" | |
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Tag machines by name, modify for other tagging usecases | |
| LET target_clients = ( 'machinename1','machinename2'... ) | |
| SELECT | |
| os_info.hostname as Hostname, | |
| os_info.fqdn as Fqdn, | |
| os_info.release as OS, | |
| timestamp(epoch=first_seen_at) as FirstSeen, | |
| timestamp(epoch=last_seen_at) as LastSeen, | |
| last_ip, |
NewerOlder