Jonathan Johnson jonny-jhnson

List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

Kerberoasting
- (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
- (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
- (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
Attributes with passwords
(userpassword=*)

	// Create Remote Trace Session
	logman -s Wakanda-Wrkstn create trace -n KernelAPICallTrace -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

	logman -s Wakanda-Wrkstn create trace -n "Service\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

	logman -s Wakanda-Wrkstn create trace -n "Autosession\KernelAPICallTrace" -p Microsoft-Windows-Kernel-Audit-API-Calls 0xFFFFFFFFFFFFFFFF 0xFF -o C:\KernelAPICallTrace.etl -ets

	// Query Remote Trace Sessions
	logman -s Wakanda-Wrkstn query -ets

	+0x000 Pcb : _KPROCESS
	+0x438 ProcessLock : _EX_PUSH_LOCK
	+0x440 UniqueProcessId : Ptr64 Void
	+0x448 ActiveProcessLinks : _LIST_ENTRY
	+0x458 RundownProtect : _EX_RUNDOWN_REF
	+0x460 Flags2 : Uint4B
	+0x460 JobNotReallyActive : Pos 0, 1 Bit
	+0x460 AccountingFolded : Pos 1, 1 Bit
	+0x460 NewProcessReported : Pos 2, 1 Bit
	+0x460 ExitProcessReported : Pos 3, 1 Bit

	$EtwInspectorURL = "https://github.com/jsecurity101/ETWInspector/releases/download/1.0/EtwInspector.exe"
	$JonMonURL = "https://github.com/jsecurity101/JonMon/releases/download/Beta-0.01/JonMon.zip"

	$EtwInspecter = "EtwInspector.exe"
	$JonMonZIP = "JonMon.zip"

	# Download the file using Invoke-WebRequest
	Write-Output "Downloading EtwINspector..."
	Invoke-WebRequest -Uri $EtwInspectorURL -OutFile $EtwInspecter
	Write-Output "EtwInspector Downloaded"

	PS > Get-FwFilter -Key 8560068a-cb5a-4521-84cf-e1c0072dc359 \| Format-FwFilter
	Name : Custom Outbound Filter
	Action Type: Block
	Key : 8560068a-cb5a-4521-84cf-e1c0072dc359
	Id : 68421
	Description:
	Layer : FWPM_LAYER_ALE_AUTH_CONNECT_V4
	Sub Layer : FWPM_SUBLAYER_UNIVERSAL
	Flags : Persistent, Indexed
	Weight : 274877906944

	PS > Get-FwFilter -Id 68421 \| Format-FwFilter
	Name : Custom Outbound Filter
	Action Type: Block
	Key : 8560068a-cb5a-4521-84cf-e1c0072dc359
	Id : 68421
	Description:
	Layer : FWPM_LAYER_ALE_AUTH_CONNECT_V4
	Sub Layer : FWPM_SUBLAYER_UNIVERSAL
	Flags : Persistent, Indexed
	Weight : 274877906944

	$LoadedDrivers = Get-CimInstance -ClassName Win32_SystemDriver

	$LoadedDrivers \| % {
	if ($_.PathName -ne $null) {
	# Check if the path starts with \??\ and adjust the relative path
	if ($_.PathName.StartsWith("\??\")) {
	$RelativePath = $_.PathName.Remove(0,4)
	} else {
	$RelativePath = $_.PathName
	}

	enum MACRO_STATUS : __int64
	{
	STATUS_WAIT_0 = 0x0,
	STATUS_SEVERITY_INFORMATIONAL = 0x1,
	STATUS_SEVERITY_WARNING = 0x2,
	STATUS_SEVERITY_ERROR = 0x3,
	STATUS_SUCCESS = 0x0,
	STATUS_WAIT_1 = 0x1,
	STATUS_WAIT_2 = 0x2,
	STATUS_WAIT_3 = 0x3,

	#Author: Jonathan Johnson (@jsecurity101)

	function New-DriverConfig {

	<#
	.EXAMPLE
	New-DriverConfig -Block
	Creates driver block config in the current directory

	.EXAMPLE