Term | Description | Link(s) |
---|---|---|
Alias | Another email address that people can use to email | |
App Password | An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application. | |
Alternate email address | Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users | |
AuditAdmin | ||
AuditDelegate | ||
Delegate | An account with assigned permissions to a mailbox. | |
Display Name | Name that appears in the Address Book & on the TO and From lines on an email. | |
EAC | "Exchange Admin Center" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerShell 2.0+ | |
# Description: Powershell script to add Event Consumer | |
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
# Set Variables | |
$Name = 'StagingLocation_Example' | |
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"' | |
$EventNamespace = 'root/cimv2' | |
$Class = 'ActiveScriptEventConsumer' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Derived { | |
Param( | |
[String]$Class, | |
[String]$Namespace | |
) | |
if (-not [string]::IsNullOrEmpty($Class)) | |
{ | |
Get-WmiObject -List -Namespace $Namespace | Where-Object { $_.__SUPERCLASS -eq $Class -and (-not ($_.Name.StartsWith('__')) ) } | foreach { | |
Get-Derived -Class $_.__CLASS -Namespace $_.__NAMESPACE | |
$_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PowerShell 2.0 | |
# Name: EDR_Killer.ps1 | |
# Version: 1.0 | |
# Author: @mgreen27 | |
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed. | |
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
# Set Variables | |
$Name = 'EDR_Killer' | |
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Invoke-CLSIDParser.ps1 parses COM CLSID entries from HKEY_LOCAL_MACHINE and HKEY_USERS registry hives. | |
Name: Invoke-CLSIDParser.ps1 | |
Version: 0.1 | |
Author: Matt Green (@mgreen27) | |
.DESCRIPTION | |
Researchers have recently written about several use cases for code execution and persistance utilising COM (Component Object Model) hijacking. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection | |
Name: WMIEvent-BinaryRename.ps1 | |
Version: 1.0 | |
Author: Matt Green (@mgreen27) | |
.DESCRIPTION |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Get-AMSIEvents | |
{ | |
<# | |
.SYNOPSIS | |
Get-AMSIEvents collects AMSI events during interval. | |
Name: Get-AMSIEvents.ps1 | |
Version: 0.1 | |
Date: 2019-05-26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Find BinaryRename of commonly abused Living off the Land Binaries | |
Name: Get-BinaryRename.ps1 | |
Date: 2019-05-31 | |
Version: 0.2 | |
Author: Matt Green (@mgreen27) | |
Requirements: | |
Get-FileHash Powershell 4.0+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Author: Matt Green - @mgreen27 | |
# Description: script to download and build x64 and x86 Velociraptor local live response tool | |
# 3rd party binaries embedded in output files | |
# Linux requirements: wget, curl, zip | |
# Tested: Velociraptor 0.3.7 | |
# latest Velociraptor release binary from github | |
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-KerberosTicketCache | |
{ | |
<# __CyberCX__ | |
Author: Jared Atkinson (@_jaredca_tkinson) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
.EXAMPLE |
OlderNewer