Jesse Moore jessefmoore
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 12/03/2024 Marko | |
| # Dfir-jesseee inspired | |
| # sudo apt upgrade -y | |
| # sudo apt install virtualenv | |
| # mkdir ~/python-environments && cd ~/python-environments | |
| # virtualenv aidev | |
| # ls aidev/lib | |
| # source aidev/bin/activate | |
| # pip install bs4 | |
| # pip install requests |
jessefmoore
/ join-domain.ps1
Created
November 24, 2022 00:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dfir-jesseee repurpose joindomain.ps1 from https://github.com/clong/DetectionLab/blob/master/Vagrant/scripts/join-domain.ps1 | |
| # CyberForce 2021 | |
| # | |
| # | |
| # Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1". | |
| # Source: https://github.com/StefanScherer/adfs2 | |
| $hostsFile = "c:\Windows\System32\drivers\etc\hosts" | |
| Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Joining the domain..." |
jessefmoore
/ ClearAllLogs.bat
Created
October 8, 2022 16:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Dfir-jesseee modified | |
| # 10/08/2022 | |
| # in use at CyberForce and CCDC | |
| # | |
| @echo off | |
| FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V | |
| IF (%adminTest%)==(Access) goto noAdmin | |
| for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G") | |
| echo. | |
| echo Event Logs have been cleared! |
jessefmoore
/ 00_ntfs.ps1
Created
July 11, 2022 16:06
— forked from mgreen27/00_ntfs.ps1
Auscert 2022 Exercise setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### NTFS exercise setup | |
| ## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
| $downloads = ( | |
| "https://live.sysinternals.com/PsExec64.exe", | |
| "https://live.sysinternals.com/procdump64.exe", | |
| "https://live.sysinternals.com/sdelete64.exe", | |
| "https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
| ) |
jessefmoore
/ windows_10_HyperV.pkr.hcl
Last active
May 27, 2022 15:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Walk thru video here https://screencast-o-matic.com/content/video/c3n1rjVDms6 | |
| # | |
| ### Take the below code to run Packer to build Win10 in HyperV ###### | |
| packer build --only=hyperv-iso.windows10 ` | |
| --var disk_size=136400 ` | |
| --var switch_name=InternalSwitch ` | |
| --var iso_url=./iso/Win10_21H1_English_x64.iso ` | |
| --var iso_checksum=sha1:78aa5fa0fd332ee0822ef5a533cd2cfe12333274 ` | |
| windows_10.pkr.hcl | |
| ###################################################################### |
jessefmoore
/ enable_script_block_logging.ps1
Last active
April 15, 2022 18:41
enable script block logging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell module that is available from the PowerShell Gallery to enable script block logging, all you need is a PowerShell 5.x console with Administrator privileges, and this code | |
| Install-Module -Name scriptblocklogginganalyzer -Scope CurrentUser Set-SBLLogSize -MaxSizeMB 1000 Enable-SBL | |
| # Once script block logging is active, you can dump the log and examine the logged script | |
| # Get-SBLEvent | Out-GridView | |
| # | |
| #There are ways to harden the script block log, and make sure only Administrators can read this log. Run this to change access permissions to Administrators only | |
| #requires -RunAsAdministrator | |
| $Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\winevt\Channels\Microsoft-Windows-PowerShell/Operational" | |
jessefmoore
/ aws_winsrvr_just1.yml
Last active
February 17, 2023 19:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| # Windows cf template. this works in US-West-2 (Oregon) | |
| # dfir-jesseee modified for workshop on Atomic Red Team and Detection | |
| # $UserData: Install Atomic Red Team repo and atomics, and execution framework | |
| # | |
| #You will need to create a key pair in the Console and | |
| #it will ask for the name when you deploy the CF, | |
| #If you want it open to the world -Add WorkstationIP Default: 0.0.0.0/0 | |
| # changed AmI to ami-043a10657355653f6 2019 -base container | |
| Parameters: |
jessefmoore
/ Find IOCs for US-CERT-TA18-074A
Created
February 22, 2022 18:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Get-US-CERT-TA18-074A.ps1 returns data about US-CERT Alert. https://www.us-cert.gov/ncas/alerts/TA18-074A | |
| .NOTES | |
| The next line is needed by Kansa.ps1 to determine how to handle output | |
| from this script. | |
| OUTPUT TSV | |
| Contributed by Jesse Moore | |
| #> |
jessefmoore
/ minimal-defender-bypass.profile
Created
December 28, 2021 00:40
— forked from tothi/minimal-defender-bypass.profile
Minimal Cobalt Strike C2 Profile for Bypassing Defender
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures) | |
| # as stage0, remote injecting a thread into a suspended process works | |
| set host_stage "false"; | |
| set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"; | |
| set sleeptime "10000"; | |
| stage { | |
| set allocator "MapViewOfFile"; | |
| set name "notevil.dll"; |
jessefmoore
/ create-domain.ps1
Created
November 13, 2021 17:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # dfir-jesseee repurpose detecionLab reference: https://github.com/clong/DetectionLab/blob/master/Vagrant/scripts/create-domain.ps1 | |
| # Need to change password | |
| # Need to add restart-computer at the end of script | |
| # | |
| # Purpose: Creates the "windomain.local" domain | |
| # Source: https://github.com/StefanScherer/adfs2 | |
| param ([String] $ip) | |
| $subnet = $ip -replace "\.\d+$", "" |
NewerOlder