├── IP to Country Conversion 02242025.xlsx
├── README.md
├── convert-csv-to-xlsx
├── create_hostnames_csv
├── expand-triage-archive
├── invoke-kape-for-loop-output-to-excel
├── prep-ec2-w2k22-for-m365-investigation
├── psfalcon_run_rtr_script.ps1
├── rtr_port_blocking.ps1
├── username-generator.ps1
└── velociraptor-windows-hash-executable-files.yaml
/IP to Country Conversion 02242025.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/secure-cake/misc-scripts/c468d554f0d8d8c74baaa9ca6a6927eb4848e666/IP to Country Conversion 02242025.xlsx
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ### Misc Scripts, Links and Info
2 |
3 | #### IP address to County Name Mapping:
4 | https://github.com/sapics/ip-location-db/tree/main/geolite2-country
5 | NOTE: I use the "geolite2-country-ipv4-num.csv" file with the "IP To Country Conversion" spreadsheet (base10 values)
6 |
7 | #### Split CSV Script:
8 |
9 | https://github.com/jschicht/Mft2Csv/blob/master/SplitCsv.ps1
10 |
11 | #### MS Excel "Advanced Filtering":
12 |
13 | https://support.microsoft.com/en-us/office/filter-by-using-advanced-criteria-4c9222fe-8529-4cd7-a898-3f16abdff32b#bkmk_2
14 |
15 | #### Windows Malware Investigations:
16 | https://www.youtube.com/live/TsTBnAo07ks?si=lSdHIy2obO3k5igL
17 | https://github.com/secure-cake/win-mal-investigations
18 |
19 | #### Rapid Endpoint Investigations
20 | https://github.com/secure-cake/rapid-endpoint-investigations
21 |
--------------------------------------------------------------------------------
/convert-csv-to-xlsx:
--------------------------------------------------------------------------------
1 | #Define the source and destination path\file
2 | $csv = "D:\cases\path-to-source-csv\EventLogs\2023082_EvtxECmd_Output.csv " #Location of the source file
3 | $xlsx = "D:\cases\path-to-destination-xlsx\EVTX_CSV_To_XLS.xlsx" #Desired location of output
4 | #For csv, the delimiter is usually a comma, but for log2timeline, etc. could be pipe, etc.
5 | $delimiter = ","
6 |
7 | #Creates a new Excel workbook with one empty sheet
8 | $excel = New-Object -ComObject excel.application
9 | $workbook = $excel.Workbooks.Add(1)
10 | $worksheet = $workbook.worksheets.Item(1)
11 |
12 | #Builds the QueryTables.Add command and reformats the data
13 | $TxtConnector = ("TEXT;" + $csv)
14 | $Connector = $worksheet.QueryTables.add($TxtConnector,$worksheet.Range("A1"))
15 | $query = $worksheet.QueryTables.item($Connector.name)
16 | $query.TextFileOtherDelimiter = $delimiter
17 | $query.TextFileParseType = 1
18 | $query.TextFileColumnDataTypes = ,1 * $worksheet.Cells.Columns.Count
19 | $query.AdjustColumnWidth = 1
20 |
21 | #Execute the query, delete the import query
22 | $query.Refresh()
23 | $query.Delete()
24 |
25 | #Save and close the workbook as an XLSX file
26 | $Workbook.SaveAs($xlsx,51)
27 | $excel.Quit()
28 |
--------------------------------------------------------------------------------
/create_hostnames_csv:
--------------------------------------------------------------------------------
1 | Import-Module AciveDirectory
2 | Get-ADGroupMember Your_AD_Group_Name_Goes_Here | %{Get-ADComputer $_} | ?{$_.enabled -eq $true} `
3 | | Select name | Export-CSV C:\Temp\hostnames.csv -NoTypeInformation
4 |
--------------------------------------------------------------------------------
/expand-triage-archive:
--------------------------------------------------------------------------------
1 |
2 | #use PowerShell 7.x
3 | $casename = '2023-0829-abccase'
4 | $compressed_triage_data = "D:\cases\$casename\triage_data_compressed"
5 | $unzipped_triage_data = "D:\cases\$casename\triage_data"
6 |
7 | (get-childitem -path $compressed_triage_data -filter *.zip).basename | ForEach-Object {
8 |
9 | Expand-Archive -path $compressed_triage_data\$_.zip -DestinationPath $unzipped_triage_data\$_ -Force
10 | }
11 |
--------------------------------------------------------------------------------
/invoke-kape-for-loop-output-to-excel:
--------------------------------------------------------------------------------
1 | #navigate to KAPE exe folder before running script
2 | #if prompted to save in Excel, click don't save
3 | #invoke-kape script must be in the kape diretory
4 | . .\Invoke-Kape.ps1
5 | #change three variables below for casename, triage dir and output dir
6 | $casename = '2023-0829-abccase'
7 | $triage_data_directory = "D:\cases\$casename\triage_data"
8 | $kape_destination_directory = "D:\cases\$casename\kape_output"
9 | (get-childitem -Directory $triage_data_directory).name | ForEach-Object {
10 | Invoke-Kape -msource $triage_data_directory\$_\uploads\auto\C%3A -mdest $kape_destination_directory\$_ -Module ObsidianForensics_Hindsight,NirSoft_BrowsingHistoryView,NirSoft_WebBrowserDownloads,AppCompatCacheParser,PECmd,AmcacheParser,SBECmd -mvars csv
11 | Invoke-Kape -msource $triage_data_directory\$_\uploads\auto\C%3A -mdest $kape_destination_directory\$_'-evtx' -Module EvtxECmd,hayabusa_LogonSummary,hayabusa_OfflineEventLogs,hayabusa_OfflineLogonSummary,hayabusa_UpdateRules -mvars csv
12 | #Uncomment the line below to process MFT...not rolled up into Excel
13 | Invoke-Kape -msource $triage_data_directory\$_\uploads\ntfs\%5C%5C.%5CC%3A -mdest "$kape_destination_directory\$_-mft" -Module 'MFTECmd_$MFT' -mvars csv
14 | #Bulk Extractor is slow...so uncomment the line below as desired
15 | Invoke-Kape -msource $triage_data_directory\$_\uploads\auto\C%3A -mdest "$kape_destination_directory\$_-be" -Module Bulk_extractor -mvars csv
16 | #Combines all csv and xls files into a workbook per station...not including MFT or Bulk_Extractor
17 | $ExcelObject=New-Object -ComObject excel.application
18 | $ExcelObject.visible=$true
19 | $ExcelFiles=Get-ChildItem -Path $kape_destination_directory\$_ -Recurse -Include *.csv, *.xls, *.xlsx
20 |
21 | $Workbook=$ExcelObject.Workbooks.add()
22 | $Worksheet=$Workbook.Sheets.Item("Sheet1")
23 |
24 | foreach($ExcelFile in $ExcelFiles){
25 |
26 | $Everyexcel=$ExcelObject.Workbooks.Open($ExcelFile.FullName)
27 | $Everysheet=$Everyexcel.sheets.item(1)
28 | $Everysheet.Copy($Worksheet)
29 | $Everyexcel.Close()
30 |
31 | }
32 | $Workbook.SaveAs("$kape_destination_directory\$_-kape.xlsx")
33 | $ExcelObject.Quit()
34 | }
35 |
--------------------------------------------------------------------------------
/prep-ec2-w2k22-for-m365-investigation:
--------------------------------------------------------------------------------
1 | #enable scripts by running command below manually or launch and run in ISE
2 | #Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force
3 | #set password for User
4 | #RUN FROM PowerShell 5 - install Azure AD PowerShell and MSOnline
5 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
6 | install-module -name azuread -Repository psgallery -force
7 | install-module -name msonline -repository psgallery -force
8 | #download and install PowerShell 7.x.x - msi
9 | iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI -Quiet"
10 | #RUN FROM PowerShell v7 (pwsh) - install exchangeonline management and graph api...be patient...takes a few minutes and since using pwsh - no progress indicators
11 | & "C:\Program Files\PowerShell\7\pwsh.exe" -Command Install-Module -name exchangeonlinemanagement -repository psgallery -force
12 | & "C:\Program Files\PowerShell\7\pwsh.exe" -Command Install-Module -name microsoft.graph -scope allusers -repository psgallery -force
13 |
--------------------------------------------------------------------------------
/psfalcon_run_rtr_script.ps1:
--------------------------------------------------------------------------------
1 | # When the script is run, you will be prompted for ClientId and ClientSecret for your CrowdStrike PSFalcon API
2 | Import-Module -Name PSFalcon
3 | #Create a CSV file with column title of Hostname and one Hostname per line, edit 'c:\Temp...' path below to match your CSV file name and location
4 | $hostnames= (import-csv c:\Temp\hostnames.csv).Hostname
5 | $formatted_hostnames = $hostnames | ForEach-Object {"hostname:'$_'"}
6 | $falcon_hosts = $formatted_hostnames | ForEach-Object {get-falconhost -Filter $_}
7 | #Prompts you for the name of the RTR Script to execute
8 | $rtrscriptname = read-host "Enter RTR Script Name"
9 | $commandarguments = "-CloudFile=$rtrscriptname"
10 | #Creates a very basic output file with a true/false completion status, session identifiers, etc; named for the RTR Script you ran, with Date/Time
11 | $ExportName = "$pwd\rtr_$($rtrscriptname -replace ' ','_')_$(Get-Date -Format FileDateTime).csv"
12 | Invoke-FalconRTR -command runscript -arguments $commandarguments -hostids $falcon_hosts | Export-Csv -Path $ExportName
13 |
14 | if (Test-Path $ExportName) {
15 | # Display CSV file
16 | Get-ChildItem $ExportName
17 | }
18 |
--------------------------------------------------------------------------------
/rtr_port_blocking.ps1:
--------------------------------------------------------------------------------
1 | #Enable all firewall profiles and block inbound TCP Port 445 and 3389
2 | $ports_to_block = @("445","3389")
3 | Set-NetFirewallRule -Enabled True
4 | New-NetFirewallRule -DisplayName "IR: Block $ports_to_block Inbound" -Direction Inbound `
5 | -LocalPort $ports_to_block -Protocol TCP -Action Block
6 |
--------------------------------------------------------------------------------
/username-generator.ps1:
--------------------------------------------------------------------------------
1 | Import-Module ActiveDirectory
2 | #Uncomment the lines below to import names from file
3 | #$lastnames = get-content $env:USERPROFILE\Downloads\lastnames.txt
4 | #$firstnames = get-content $env:USERPROFILE\Downloads\firstnames.txt
5 | $lastnames = "smith","johnson","williams","brown","jones","miller","davis","garcia","rodriguez","wilson","martinez","hernandez","lopez","anderson","gonzlez","white","harris","taylor"
6 | $firstnames = "james","john","robert","michael","william","david","richard","joseph","thomas","charles","christopher","daniel","matthew","anthony","mary","patricia","jennifer","linda","elizabeth","barbara","susan","jessica","sarah","margaret","karen","nancy","lisa","betty","dorothy","melissa","amanda","amy","nicole","megan","rebecca","kimberly","christina","amber","rachel","tiffany","laura","emily"
7 | #Prompt for input regarding number of characters to use from first and last name, for unique permutations, eg "John Smith" = josmit (2x4)
8 | $firstname_chars = read-host "Enter desired number of characters from the first name"
9 | $lastname_chars = read-host "Enter desired number of characters from the last name (max of 5)"
10 | foreach ($lastname in $lastnames) {
11 | #Comment out the line below if you want to use the entire last name, instead of limited characters
12 | $lastname_truncated = $lastname.substring(0,$lastname_chars)
13 | foreach ($firstname in $firstnames) {
14 | $firstname_truncated = $firstname.substring(0,$firstname_chars)
15 | $username = $firstname_truncated+$lastname_truncated
16 | $username | Out-File $env:USERPROFILE\Downloads\usernames-output.txt -Append
17 | #Add 1 through 20 to the end of each username, eg johsmith1
18 | for ($i = 1; $i -le 20; $i++) {$username+$i | Out-File $env:USERPROFILE\Downloads\usernames-output.txt -Append}
19 | }
20 | clear-variable i
21 | }
22 | #Sort and remove duplicates, in case you chose characters that result in potential duplicates
23 | get-content $env:USERPROFILE\Downloads\usernames-output.txt | sort | Get-Unique > $env:USERPROFILE\Downloads\usernames-output-unique.txt
24 |
25 | #Use for internal validation of valid, enabled user accounts
26 | $valid_users = get-content $env:USERPROFILE\Downloads\usernames-output-unique.txt
27 | foreach ($valid_user in $valid_users){
28 | Try {
29 | Get-ADUser $valid_user | where enabled -eq $true | select -ExpandProperty name | out-file $env:USERPROFILE\Downloads\valid_users.txt -Append
30 | }
31 | Catch {
32 | $errors
33 | }
34 | }
35 | #How many usernames in your output list
36 | get-content $env:USERPROFILE\Downloads\usernames-output-unique.txt | measure -Line
37 | #If you ran internal validation, how many valid usernames you discovered
38 | get-content $env:USERPROFILE\Downloads\valid_users.txt | measure -Line
39 |
--------------------------------------------------------------------------------
/velociraptor-windows-hash-executable-files.yaml:
--------------------------------------------------------------------------------
1 | name: Windows.Hash.Executable.Files
2 | description: |
3 | This artifact is designed to acquire SHA1 hash values and path/filenames for "executable" files (exe, bat, ps1, json, dll, vbs, cmd, scr) "recently" modified (days configurable) in the most common, user-writeable Windows directories, looking for "abnormal/malicious" executable content.
4 |
5 | required_permissions:
6 | - EXECVE
7 |
8 | precondition:
9 | SELECT OS From info() where OS = 'windows'
10 |
11 | parameters:
12 | - name: DaysSinceModified
13 | default: 5
14 |
15 | sources:
16 | - query: |
17 | LET BaseScript = '''$FormatEnumerationLimit=-1; $paths='c:\users','c:\programdata'; get-childitem -path $paths -Recurse -Force -ErrorAction SilentlyContinue | where {$_.LastWriteTime -gt (get-date).AddDays($DaysSinceModified)} | where {$_.extension -in ".exe",".bat",".ps1",".json",".dll",".vbs",".cmd",".scr"} | Get-FileHash -Algorithm sha1 -ErrorAction SilentlyContinue | ConvertTo-Json'''
18 | LET PowershellScript <= join(array=['$DaysSinceModified=','"','-',DaysSinceModified,'"',";"," ",BaseScript])
19 | SELECT * FROM foreach(
20 | row={
21 | SELECT Stdout FROM execve(argv=["Powershell", "-ExecutionPolicy",
22 | "unrestricted", "-c", PowershellScript], length=1000000)
23 | }, query={
24 | SELECT * FROM parse_json_array(data=Stdout)
25 | })
26 |
--------------------------------------------------------------------------------