Skip to content

Instantly share code, notes, and snippets.

@mgreen27
mgreen27 / ActiveScriptEventConsumer.ps1
Last active January 13, 2022 01:22
PowerShell script to install an ActiveScriptEventConsumer
# PowerShell 2.0+
# Description: Powershell script to add Event Consumer
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a
# Set Variables
$Name = 'StagingLocation_Example'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"'
$EventNamespace = 'root/cimv2'
$Class = 'ActiveScriptEventConsumer'
@mgreen27
mgreen27 / Get-ExtrinsicEventClasses.ps1
Created May 27, 2017 01:26 — forked from et0x/Get-ExtrinsicEventClasses.ps1
List all WMI extrinsic event classes recursively
function Get-Derived {
Param(
[String]$Class,
[String]$Namespace
)
if (-not [string]::IsNullOrEmpty($Class))
{
Get-WmiObject -List -Namespace $Namespace | Where-Object { $_.__SUPERCLASS -eq $Class -and (-not ($_.Name.StartsWith('__')) ) } | foreach {
Get-Derived -Class $_.__CLASS -Namespace $_.__NAMESPACE
$_
@mgreen27
mgreen27 / EDR_Killer.ps1
Last active October 18, 2021 16:12
WMI EventConsumer to disable EDR (or other tools) tools when installed
# PowerShell 2.0
# Name: EDR_Killer.ps1
# Version: 1.0
# Author: @mgreen27
# Description: Powershell WMI Event Consumer Proof of Concept to disable EDR tools when installed.
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a
# Set Variables
$Name = 'EDR_Killer'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "Win32_Service" AND (TargetInstance.Name = "Sysmon" OR TargetInstance.Name = "Service name 2" OR TargetInstance.Name = "Service Name ..." OR TargetInstance.Name = "Service name N")'
@mgreen27
mgreen27 / Invoke-CLSIDParser.ps1
Created July 22, 2018 12:34
Parse CLSID COM objects from Registry
<#
.SYNOPSIS
Invoke-CLSIDParser.ps1 parses COM CLSID entries from HKEY_LOCAL_MACHINE and HKEY_USERS registry hives.
Name: Invoke-CLSIDParser.ps1
Version: 0.1
Author: Matt Green (@mgreen27)
.DESCRIPTION
Researchers have recently written about several use cases for code execution and persistance utilising COM (Component Object Model) hijacking.
@mgreen27
mgreen27 / WMIEvent-BinaryRename.ps1
Last active July 15, 2022 20:36
WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection
<#
.SYNOPSIS
WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection
Name: WMIEvent-BinaryRename.ps1
Version: 1.0
Author: Matt Green (@mgreen27)
.DESCRIPTION
@mgreen27
mgreen27 / Get-AMSIEvents.ps1
Last active May 27, 2019 12:59
Get-AMSIEvents
Function Get-AMSIEvents
{
<#
.SYNOPSIS
Get-AMSIEvents collects AMSI events during interval.
Name: Get-AMSIEvents.ps1
Version: 0.1
Date: 2019-05-26
@mgreen27
mgreen27 / Get-BinaryRename.ps1
Created June 1, 2019 08:08
Binary Rename static detection
<#
.SYNOPSIS
Find BinaryRename of commonly abused Living off the Land Binaries
Name: Get-BinaryRename.ps1
Date: 2019-05-31
Version: 0.2
Author: Matt Green (@mgreen27)
Requirements:
Get-FileHash Powershell 4.0+
Term Description Link(s)
Alias Another email address that people can use to email
App Password An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate An account with assigned permissions to a mailbox.
Display Name Name that appears in the Address Book & on the TO and From lines on an email.
EAC "Exchange Admin Center"
@mgreen27
mgreen27 / buildLocalLR.sh
Last active October 1, 2021 20:25
Velociraptor local live response configuration files
#!/bin/bash
#
# Author: Matt Green - @mgreen27
# Description: script to download and build x64 and x86 Velociraptor local live response tool
# 3rd party binaries embedded in output files
# Linux requirements: wget, curl, zip
# Tested: Velociraptor 0.3.7
# latest Velociraptor release binary from github
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)"
@mgreen27
mgreen27 / Get-KerberosTicketCache.ps1
Last active September 22, 2020 11:38
Get-KerberosTicketCache
function Get-KerberosTicketCache
{
<# __CyberCX__
Author: Jared Atkinson (@_jaredca_tkinson)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.EXAMPLE