Skip to content

Instantly share code, notes, and snippets.

View svch0stz's full-sized avatar

svch0stz

56 followers · 6 following
View GitHub Profile
@svch0stz
svch0stz / recmd_kroll.reb
Last active May 11, 2022 13:17
Author: "Andrew Rathbun"
Description: "Kroll RECmd Batch File"
Id: ecc582d5-a1b1-4256-ae64-ca2263b8f971
Keys:
-
Category: "System Info"
Comment: "Displays the username of the last user logged in to this system"
Description: WinLogon
HiveType: SOFTWARE
KeyPath: "Microsoft\\Windows NT\\CurrentVersion\\WinLogon"
@svch0stz
svch0stz / DetectRules.csv
Last active April 25, 2022 13:54
Detection Rules for Velociraptor EvtxHunter
We can make this file beautiful and searchable if this error is corrected: It looks like row 6 should actually have 6 columns, instead of 4 in line 5.
eventlog,id,name,eventid,rule,ignore
powershell,win_powershell_web,T1059.001-PowerShell Web Request,^(4104)$,Invoke-WebRequest|iwr |wget |curl |Net.WebClient|Start-BitsTransfer,Get-SystemDriveInfo
powershell,win_powershell_suspicious_keywords,T1059.001-Suspicious Powershell Commandlets,^(200|400|800|4100|4103|4104)$,Invoke-Expression|IEX |-W Hidden|-WindowStyle Hidden|-nop |-noprofile|Set-StrictMode|RunAs32|rundll32|127\.0\.0\.1|System\.Reflection\.AssemblyName|System\.Reflection\.Emit\.AssemblyBuilderAccess|System\.Runtime\.InteropServices\.MarshalAsAttribute|memorystream|SuspendThread|GzipStream,chocolatey
powershell,win_powershell_base64,T1059.001-Use of Base64 Commands,^(200|400|800|4100|4103|4104)$,FromBase64String|EncodedCommand|-En |-Enc,
powershell,win_powershell_mimikatz,T1059.001-Mimikatz Execution via PowerShell,^(200|400|800|4100|4103|4104)$,TOKEN_PRIVILE|SE_PRIVILEGE_ENABLED|mimikatz|lsass\.dmp,
powershell,win_powershell_memoryloader,T1059.001-Loading Powershell in Memory,^(200|400|800|4100|4103|
@svch0stz
svch0stz / Cobalt Strike Named Pipe Regex.csv
Last active October 21, 2024 13:54
Cobalt Strike Named Pipe Regex
Regex Source
MSSE-[0-9a-f]{3}-server Default Cobalt Strike Artifact Kit binaries
status_[0-9a-f]{2} Default psexec_psh
postex_ssh_[0-9a-f]{4} Default SSH beacon
msagent_[0-9a-f]{2} Default SMB beacon
postex_[0-9a-f]{4} Default Post Exploitation job (v4.2+)
mojo.5688.8052.183894939787088877[0-9a-f]{2} jquery-c2.4.2.profile
mojo.5688.8052.35780273329370473[0-9a-f]{2} jquery-c2.4.2.profile
wkssvc[0-9a-f]{2} jquery-c2.4.2.profile
ntsvcs[0-9a-f]{2} trick_ryuk.profile
@svch0stz
svch0stz / defenderwatch.ps1
Last active November 18, 2022 01:03
WMI Watcher for Windows Defender RealtimeMonitoring
$WMI = @{
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Action = {
#$Global:Data = $Event
Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
}
Namespace = 'root\microsoft\windows\defender'
SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI
@svch0stz
svch0stz / scanning_cobaltstrike_config.csv
Created May 6, 2021 10:55
scanning_cobaltstrike_config.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.
ip,port,time_scanned,arch,Beacon Type,Port,Polling,Jitter,Max DNS,C2 Server,User Agent,HTTP Method Path 2,Header 1,Header 2,Injection Process,Pipe Name,Year,Month,Day,DNS Idle,DNS Sleep,Method 1,Method 2,Spawn To,Proxy Hostname,Proxy Username,Proxy Password,Proxy Access Type,CreateRemoteThread,Watermark
185.20.186.108,443,1.62002E+12,x86,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,1359593325
185.20.186.108,443,1.62002E+12,x64,8 (HTTPS),443,5000,0,,"185.20.186.108,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",,/N4215/adj/amzn.us.sr.aps,,,,,,,,,,GET,POST,%windir%\sysnative\rundll32.exe,,,,,,1359593325
213.202.211.246,80,1.62002E+12,x86,0 (HTTP),80,10000,5,,"213.202.211.246,/metro91/admin/1/ppptp.jpg",,/metro91/admin/1/secure.php,,,,,,,,,,GET,POST,%windir%\syswow64\rundll32.exe,,,,,,0
213.202.211.246,80,1.62002E+12,x64,0 (HTTP),80,10000,5,,"213.202.211.246,/metr
@svch0stz
svch0stz / repo-reset.md
Created February 13, 2021 14:06 — forked from heiswayi/repo-reset.md
GitHub - Delete commits history with git commands

First Method

Deleting the .git folder may cause problems in our git repository. If we want to delete all of our commits history, but keep the code in its current state, try this:

# Check out to a temporary branch:
git checkout --orphan TEMP_BRANCH

# Add all the files:
git add -A
@svch0stz
svch0stz / winlogbeat-ship2helk.yml
Created September 12, 2020 07:47
#### Winlogbeat Evtx Shipper To HELK ####
# Usage: .\winlogbeat.exe -c .\winlogbeat-ship2helk.yml -e -E EVTX_FILE="C:\Dev\evtxfile2ship.evtx"
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
winlogbeat.shutdown_timeout: 60s
winlogbeat.registry_file: evtx-registry.yml
@svch0stz
svch0stz / Merge-CSVFiles.ps1
Last active August 31, 2020 00:23
Merge-CSVFiles: PowerShell Function to Merge a Folder of CSVs and Append a Filename column
# Usage: Merge-CSVFiles
# Usage: Merge-CSVFiles -Path C:\files\to\merge\ -Filter "*.csv" -OutputFile C:\Temp\merged.csv
# Combination of https://declanbright.com/downloads/Combine-Files.ps1 and https://gallery.technet.microsoft.com/scriptcenter/CombineMerge-multiple-CSV-23a53e83
function Merge-CSVFiles {
[cmdletbinding()]
param(
[string]$Path = ".",
[string]$Filter = "*.csv",
[string]$OutputFile = "c:\Temp\Merged_$(get-date -f yyyy-MM-dd_HHmmss).csv"
@svch0stz
svch0stz / Just Another List of PowerShell Commands.txt
Created June 7, 2020 05:37
Just Another List of PowerShell Commands
//Get AD Password Information — Can be used to find stale accounts or users that don’t require authentication
Get-ADUser -Properties Name,UserPrincipalName,Enabled,PasswordNeverExpires,PasswordExpired,PasswordNotRequired,AccountExpirationDate,PasswordLastSet | Export-csv userpasswordinfo.csv
//Get Admins with an SPN — Any account in this list are good targets for Kerberoasting attacks
Get-AdUser -filter {(ServicePrincipalName -like “*”) -AND (AdminCount -eq 1)} -Properties * | Select SAMAccountname,PasswordLastSet | Sort PasswordLastSet
//Get Email from List of usernames
Get-Content usernames.txt | Foreach-object { Get-ADUser $_ -Properties Name,UserPrincipalName,Enabled} | Export-csv output.csv
//Get Usernames from List of Emails
@svch0stz
svch0stz / osx-for-pentesting.sh
Created June 27, 2016 10:13 — forked from gabemarshall/osx-for-pentesting.sh
A fork of osx-for-hackers for my personal pentesting setup preferences
# OSX for Pentesting (Mavericks/Yosemite)
#
# A fork of OSX for Hackers (Original Source: https://gist.github.com/brandonb927/3195465)
#!/bin/sh
# Ask for the administrator password upfront
echo "Have you read through the script prior to running this? (y or n)"
read bcareful