Matthew Green mgreen27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Tag machines by name, modify for other tagging usecases | |
| LET target_clients = ( 'machinename1','machinename2'... ) | |
| SELECT | |
| os_info.hostname as Hostname, | |
| os_info.fqdn as Fqdn, | |
| os_info.release as OS, | |
| timestamp(epoch=first_seen_at) as FirstSeen, | |
| timestamp(epoch=last_seen_at) as LastSeen, | |
| last_ip, |
mgreen27
/ enrichment.vql
Last active
October 5, 2022 17:32
Velocon 2022 - Notebook and VQL: Data munging your way to victory!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- add API key here | |
| LET APIKey = 'REDACTED' | |
| -- firstly Materialize all entries for performance | |
| LET all_entries <= SELECT | |
| Fqdn,ClientId, | |
| `Entry Location` as EntryLocation, | |
| Entry,Enabled,Profile,Description,Company, | |
| `Image Path` as ImagePath, | |
| Version, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Extract unallocated with TSK | |
| # Version: 0.1 | |
| # Date: 2020-05-14 | |
| # Author: @mgreen27 | |
| # Instructions | |
| # 1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH | |
| # or remove comment for hardcoded image name and path |
mgreen27
/ 00_ntfs.ps1
Last active
July 11, 2022 16:06
— forked from scudette/extended_attributes.ps1
Auscert 2022 Exercise setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### NTFS exercise setup | |
| ## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
| $downloads = ( | |
| "https://live.sysinternals.com/PsExec64.exe", | |
| "https://live.sysinternals.com/procdump64.exe", | |
| "https://live.sysinternals.com/sdelete64.exe", | |
| "https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.ETW.Testing | |
| description: | | |
| This artifact uses the ETW provider: | |
| Microsoft-Windows-Kernel-File {edd08927-9cc4-4e65-b970-c2560fb5c289} | |
| type: CLIENT_EVENT | |
| parameters: | |
| - name: FilePathRegex | |
| description: "FilePath regex filter for" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Server.Malware.JoeSandbox | |
| description: | | |
| This is a POC to submit a sample to JoesSandbox. | |
| No options beyont TAC and API have been configured. | |
| type: SERVER | |
| parameters: | |
| - name: JoeSandboxUrl | |
| default: https://www.joesandbox.com/api/v2/submission/new |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Frontend": { | |
| "hostname": "", | |
| "bind_address": "0.0.0.0", | |
| "bind_port": 443, | |
| "public_path": "/opt/velociraptor/PUBLICTEMPLATE", | |
| "default_client_monitoring_artifacts": [ | |
| "Generic.Client.Stats" | |
| ], | |
| "dyn_dns": { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0' encoding='windows-1252'?> | |
| <?define AppRegKey="Software\COMPANYNAME\TOOLNAME" ?> | |
| <?define PackageDescription="COMPANYNAME TOOLNAME installer" ?> | |
| <?define Manufacturer="COMPANYNAME" ?> | |
| <?define Name="TOOLNAME" ?> | |
| <?define Version="VERSION" ?> | |
| <?define BinaryName="TOOLNAME.exe" ?> | |
| <?define BinaryNamex86="TOOLNAMEx86.exe" ?> | |
| <Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.EventLogs.Bitsadmin | |
| author: "Matt Green - @mgreen27" | |
| description: | | |
| This content will extract BITS Transfer events and enable filtering by URL | |
| reference: | |
| - https://attack.mitre.org/techniques/T1197/ | |
| - https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | |
| parameters: |
mgreen27
/ gcloud_cheat_sheet.md
Created
March 19, 2021 01:34
— forked from pydevops/gcloud-cheat-sheet.md
gcp gcloud cheat sheet