mgreen27

function Get-KerberosTicketGrantingTicket
{
    <# __CYberCX__
    .SYNOPSIS

    Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

    .DESCRIPTION

    Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.

mgreen27

## Plaso stuff

# log2timeline
docker run -v $(pwd):/data log2timeline/plaso log2timeline --storage-file /data/$MACHINENAME.plaso /data/$MACHINENAME

# parsers can be targeted or skipped with --parsers command
docker run -v $(pwd):/data log2timeline/plaso log2timeline --storage-file /data/$MACHINENAME.plaso --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME

docker run -v $(pwd):/data log2timeline/plaso log2timeline --storage-file /data/$MACHINENAME.plaso --parsers=winevtx /data/$MACHINENAME

mgreen27

name: Custom.Packs.HAFNIUM.Windows.WebshellSearch
author: Matt Green - @mgreen27
description: |
  This artifact will hunt for Webshells associated with the HAFNIUM campaign as 
  reported by Microsoft and Volexity.
  
  The default artifact will discover all ASPX files on C: then run a preconfigured 
  yara rule. Yara can be supplied by the YaraRule parameter or alternatively a 
  URL can be set to enable download of remote rule set.
  

mgreen27

name: Custom.Windows.System.KB5000871
author: Matt Green - @mgreen27
description: |
   This artifact will check for KB5000871 in system Uninstall keys.
   
   KB5000871 is not visible via Get-Hotfix or Systeminfo so we need to query the 
   uninstall keys. Modify NameRegex to search for other installed applications.

reference:
    - https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

mgreen27

Table of Contents

• 0.1. References
  • 0.2. Other cheatsheets
  • 0.3. Manage multiple gcloud config configurations
    • 0.3.1. Switch gcloud context with gcloud config
  • 0.4. Auth
• 0.5. info

mgreen27

name: Custom.Windows.EventLogs.Bitsadmin
author: "Matt Green - @mgreen27"
description: |
    This content will extract BITS Transfer events and enable filtering by URL

reference:
  - https://attack.mitre.org/techniques/T1197/
  - https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html

parameters:

mgreen27

<?xml version='1.0' encoding='windows-1252'?>
<?define AppRegKey="Software\COMPANYNAME\TOOLNAME" ?>
<?define PackageDescription="COMPANYNAME TOOLNAME installer" ?>
<?define Manufacturer="COMPANYNAME" ?>
<?define Name="TOOLNAME" ?>
<?define Version="VERSION" ?>
<?define BinaryName="TOOLNAME.exe" ?>
<?define BinaryNamex86="TOOLNAMEx86.exe" ?>

<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>

mgreen27

{
    "Frontend": {
        "hostname": "",
        "bind_address": "0.0.0.0",
        "bind_port": 443,
        "public_path": "/opt/velociraptor/PUBLICTEMPLATE",
        "default_client_monitoring_artifacts": [
            "Generic.Client.Stats"
        ],
        "dyn_dns": {

mgreen27

name: Custom.Server.Malware.JoeSandbox
description: |
   This is a POC to submit a sample to JoesSandbox.
   No options beyont TAC and API have been configured.

type: SERVER

parameters:
   - name: JoeSandboxUrl
     default: https://www.joesandbox.com/api/v2/submission/new

mgreen27

name: Custom.ETW.Testing
description: |
    This artifact uses the ETW provider:
    Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} 

type: CLIENT_EVENT

parameters:
  - name: FilePathRegex
    description: "FilePath regex filter for"