scudette
/ Custom.Windows.Detection.ProcessHollowing.yaml
Created
July 13, 2020 00:29
Velociraptor Artifact to apply Hollows Hunter on the endpoint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.Detection.ProcessHollowing | |
| description: | | |
| Use hollows_hunter to detect suspicious process injections. | |
| Upload any findings to the server, including process dumps. | |
| tools: | |
| - name: hollows_hunter | |
| url: https://github.com/hasherezade/hollows_hunter/releases/download/v0.2.7.1/hollows_hunter64.exe |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Splunk.Flows.Upload | |
| description: | | |
| Upload all collected results of a specific artifact type to a splunk index. | |
| type: SERVER_EVENT | |
| parameters: | |
| - name: ArtifactName | |
| default: Generic.Client.Info/Users | |
| description: Only upload these artifacts to splunk |
scudette
/ Custom.Label.User.yaml
Last active
March 25, 2021 12:26
Label clients that contain a username.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Label.User | |
| description: | | |
| This artifact watches for new client enrolments and automatically label | |
| the client with the required label if the user exists. | |
| This artifact can be the starting point for automatically labeling a machine | |
| based on any other property - just change the artifact to watch and the result | |
| filter. | |
| type: SERVER_EVENT |
scudette
/ Get-InjectedThread.ps1
Created
June 20, 2020 14:58
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
scudette
/ Custom.Uninstall.Velociraptor.yaml
Created
May 18, 2020 01:46
Artifact to remove Velociraptor that has been installed manually
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Uninstall.Velociraptor | |
| description: | | |
| Uninstall Velociraptor which was installed using | |
| ``` | |
| Velociraptor.exe --config client.config.yaml service install | |
| ``` | |
| The problem with installation method is that it becomes hard to remove since it | |
| is not properly managed by the windows installer. We can not delete the executable |
scudette
/ fsevents_windows.go
Created
May 1, 2020 13:37
— forked from pkrnjevic/fsevents_windows.go
Windows USN Journal sample in Go based on Jeffrey Richter's superb MSDN Journal article. A work in progress, intended to provide similar API to go.fsevents.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // File: fsevents_windows.go | |
| // Date: October 29, 2013 | |
| // Author: Peter Krnjevic <[email protected]>, on the shoulders of many others | |
| // | |
| // This code sample is released into the Public Domain. | |
| // | |
| package fsevents | |
| import ( |
scudette
/ make_exe_gui.py
Created
April 20, 2020 01:54
Makes a console application into a GUI application (Stop cmd.exe windows from appearing).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| import argparse | |
| import struct | |
| if __name__ == "__main__": | |
| argument_parser = argparse.ArgumentParser("make_exe_gui") | |
| argument_parser.add_argument("exe", help="Path to the exe to change") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| autoexec: | |
| argv: | |
| - "-v" | |
| - "artifacts" | |
| - "collect" | |
| - MemoryAcquisition | |
| artifact_definitions: | |
| - name: MemoryAcquisition | |
| description: | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: TestMe | |
| parameters: | |
| - name: data | |
| default: | | |
| [{ | |
| "config": [ | |
| { | |
| "AttrCONFIG.SECTION": "SECTION 1" | |
| }, |
scudette
/ Custom.Windows.EventLog.BadAccounts.yaml
Last active
June 6, 2021 17:23
Search event logs for bad user accounts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.EventLog.BadAccounts | |
| description: | | |
| Parses all the event logs on the endpoint and sends back any single event that is | |
| related to a certain user account or SID (or any string pattern actually). | |
| This is very useful for finding unknown application event logs related to lateral | |
| movement. | |
| precondition: SELECT OS From info() where OS = 'windows' |