-
Notifications
You must be signed in to change notification settings - Fork 192
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #967 from MaxZabuty/More-Creation-and-Modification…
…-Max Created some new things
- Loading branch information
Showing
28 changed files
with
418 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
Description: Parsing all information for Network Activity Category | ||
Category: Network Activity | ||
Author: Max Zabuty | ||
Version: 1 | ||
Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de | ||
ExportFormat: json | ||
Processors: | ||
- | ||
Executable: PowerShell_SMBMapping.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_SMBOpenFile.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_SMBSession.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_NetNeighbor.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_TCPConnections.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_NetworkAdapters.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_NetworkIPAddresses.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_NetworkIPConfiguration.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_DnsClientCache.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: Windows_nbtstat_NetBIOSCache.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: Windows_nbtstat_NetBIOSSessions.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: Powershell_Wireless_Network_Connections.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_NamedPipes.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_NetRoute.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
|
||
# Documentation: | ||
# N/A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
Description: Parsing all Persistence category | ||
Category: Persistence | ||
Author: Max Zabuty | ||
Version: 1 | ||
Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de | ||
ExportFormat: json | ||
Processors: | ||
- | ||
Executable: Windows_schtasks.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: SysInternals_Autoruns.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_WMIProviders.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_AccessibilityFeatures.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
|
||
# Documentation: | ||
# N/A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -37,3 +37,6 @@ Processors: | |
Executable: PowerShell_Services_List.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
|
||
# Documentation: | ||
# N/A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
Description: Parsing all information for System Information Category | ||
Category: System Information | ||
Author: Max Zabuty | ||
Version: 1 | ||
Id: 223ac60b-b5be-4f79-8e16-4f16b1597f3c | ||
ExportFormat: json | ||
Processors: | ||
- | ||
Executable: PowerShell_SystemInformation.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_Processes.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_ProcessesIncludingServices.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_Drivers.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_NetworkShares.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_ActiveDrives.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_LocalUsers.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_LocalGroups.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: Windows_klist.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: Windows_nltest.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
- | ||
Executable: PowerShell_Defender_Exclusions.mkape | ||
CommandLine: "" | ||
ExportFormat: "" | ||
|
||
# Documentation: | ||
# N/A |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
Description: Checks for Debugger registry value and file integrity of specific Windows features | ||
Category: Persistence | ||
Author: Max Zabuty | ||
Version: 1.0 | ||
Id: e3444190-b58e-4fe7-8048-e0bb1f40b3c7 | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: > | ||
-Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults | Export-Csv -NoTypeInformation -Encoding UTF8 -Path \"%destinationDirectory%\AccessibilityFeaturesCheck.csv\" " | ||
ExportFormat: csv | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: > | ||
-Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\AccessibilityFeaturesCheck.json' " | ||
ExportFormat: json | ||
|
||
# Documentation | ||
# https://support.microsoft.com/en-us/windows/discover-windows-accessibility-features-8b1068e6-d3b8-4ba8-b027-133dd8911df9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,18 @@ | ||
Description: Named Pipes List | ||
Category: LiveResponse | ||
Author: nov3mb3r | ||
Category: Network Activity | ||
Author: Max Zabuty | ||
Version: 1.0 | ||
Id: f1f5f93d-d03b-45f4-bf72-7b8f9dc7ac23 | ||
ExportFormat: txt | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Format-Table FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime" | ||
ExportFormat: txt | ||
ExportFile: pipes.txt | ||
CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Named Pipes.csv'" | ||
ExportFormat: csv | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Named Pipes.json'" | ||
ExportFormat: json | ||
|
||
# Documentation | ||
# https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
Description: Collecting Network Routing Table Information | ||
Category: Network Activity | ||
Author: Max Zabuty | ||
Version: 1.0 | ||
Id: f1eaaf30-3b13-4c0e-836c-071f7a668948 | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: > | ||
-Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Routing Table.csv'" | ||
ExportFormat: csv | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: > | ||
-Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Routing Table.json'" | ||
ExportFormat: json | ||
|
||
# Documentation | ||
# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute?view=windowsserver2022-ps |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
Description: Parses the Recycle Bin, gathering details about deleted files and exports the results in CSV and JSON formats. (Time in UTC) | ||
Category: FileDeletion | ||
Author: Max Zabuty | ||
Version: 1.0 | ||
Id: 3d845a61-5f0e-4d4f-bf57-b0e77b6b5db1 | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: > | ||
-Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\RecycleBin.csv'" | ||
ExportFormat: csv | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: > | ||
-Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\RecycleBin.json'" | ||
ExportFormat: json | ||
|
||
# Documentation | ||
# https://forensafe.com/blogs/recycleBin.html | ||
# https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal | ||
# https://www.devhut.net/vba-shell-application-deep-dive/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,18 @@ | ||
Description: Retrieves the Server Message Block (SMB) client directory mappings. It replaces the command net use. | ||
Category: LiveResponse | ||
Author: Vito Alfano | ||
Category: Network Activity | ||
Author: Vito Alfano, Max Zabuty | ||
Version: 1.0 | ||
Id: 36092684-5d40-4159-baed-822b7eaaf0a0 | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status | Export-Csv -Path %destinationDirectory%\Net_Use.csv -NoTypeInformation " | ||
CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.csv' " | ||
ExportFormat: csv | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.json' " | ||
ExportFormat: json | ||
|
||
# Documentation | ||
# https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbmapping?view=windowsserver2022-ps |
Oops, something went wrong.