This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Sigcheck | |
| precondition: SELECT OS From info() where OS = 'windows' | |
| parameters: | |
| - name: binaryURL | |
| description: | | |
| Specify this as the base of the binary store (if empty we use | |
| the server's public directory). | |
| - name: SigcheckArgs | |
| default: c:\windows\system32 |
scudette
/ Windows.Services.Hashes.yaml
Created
March 26, 2020 05:43
This artifact enumerates the service binaries from the registry and locates their binaries. We then calculate hashes of the binaries.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Services.Hashes | |
| description: | | |
| This artifact enumerates the service binaries from the registry and locates their | |
| binaries. We then calculate hashes of the binaries. | |
| parameters: | |
| - name: serviceKeys | |
| default: | | |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\**\ImagePath | |
| - name: pathRegex |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.RemoveService | |
| description: | | |
| Clean up malicious services. | |
| type: CLIENT | |
| parameters: | |
| - name: script | |
| default: | | |
| $service = Get-WmiObject -Class Win32_Service -Filter "Name='%v'" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.RemoveScheduledTask | |
| description: | | |
| Remove malicious task | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT | |
| parameters: | |
| - name: script |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.GetLocalAdmins | |
| description: | | |
| Gets a list of local admin accounts | |
| reference: | |
| - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localgroupmember?view=powershell-5.1 | |
| # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT | |
| type: CLIENT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| pandas.DataFrame(velo_pandas.DataFrameQuery(""" | |
| SELECT * | |
| FROM hunt_results(hunt_id='H.a127011b', | |
| artifact='Windows.System.TaskScheduler', | |
| source='Analysis') | |
| LIMIT 50 | |
| """)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pandas | |
| from pyvelociraptor import velo_pandas | |
| pandas.set_option('display.max_colwidth', None) | |
| pandas.set_option('display.max_columns', None) | |
| pandas.set_option('display.max_rows', None) | |
| pandas.DataFrame(velo_pandas.DataFrameQuery(""" | |
| SELECT * FROM info() | |
| """)) |
scudette
/ Windows.Applications.EdgeUrls.yaml
Created
February 21, 2020 01:18
Bruteforce scan for URLs in Edge folders
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Applications.EdgeUrls | |
| description: | | |
| Scan anything that looks like a URL in Edge folders. | |
| parameters: | |
| - name: EdgeGlob | |
| default: C:/Users/*/AppData/Local/Packages/Microsoft.MicrosoftEdge_*/** | |
| - name: URLYaraRule | |
| default: | | |
| rule URL { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: HashRunKeys | |
| description: | | |
| Iterate over all the run keys and locate their binary then hash it. | |
| parameters: | |
| - name: runKeys | |
| default: | | |
| HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\* | |
| - name: pathRegex | |
| type: hidden |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $createdNew = $False | |
| $mutex = New-Object -TypeName System.Threading.Mutex( | |
| $true, "Global\MyBadMutex", [ref]$createdNew) | |
| if ($createdNew) { | |
| echo "Acquired Mutex" | |
| sleep(100) | |
| } else { | |
| echo "Someone else has the mutex" | |
| } |