Jonathan Johnson jsecurity101

## GrabTools.ps1
$EtwInspectorURL = "https://github.com/jsecurity101/ETWInspector/releases/download/1.0/EtwInspector.exe"
$JonMonURL = "https://github.com/jsecurity101/JonMon/releases/download/Beta-0.01/JonMon.zip"

$EtwInspecter = "EtwInspector.exe"
$JonMonZIP = "JonMon.zip"

# Download the file using Invoke-WebRequest
Write-Output "Downloading EtwINspector..."
Invoke-WebRequest -Uri $EtwInspectorURL -OutFile $EtwInspecter
Write-Output "EtwInspector Downloaded"

## Get-FwFilterFilterKey.txt
PS > Get-FwFilter -Key 8560068a-cb5a-4521-84cf-e1c0072dc359 | Format-FwFilter
Name       : Custom Outbound Filter
Action Type: Block
Key        : 8560068a-cb5a-4521-84cf-e1c0072dc359
Id         : 68421
Description:
Layer      : FWPM_LAYER_ALE_AUTH_CONNECT_V4
Sub Layer  : FWPM_SUBLAYER_UNIVERSAL
Flags      : Persistent, Indexed
Weight     : 274877906944

## Get-FwFilterFilterId.txt
PS > Get-FwFilter -Id 68421 | Format-FwFilter
Name       : Custom Outbound Filter
Action Type: Block
Key        : 8560068a-cb5a-4521-84cf-e1c0072dc359
Id         : 68421
Description:
Layer      : FWPM_LAYER_ALE_AUTH_CONNECT_V4
Sub Layer  : FWPM_SUBLAYER_UNIVERSAL
Flags      : Persistent, Indexed
Weight     : 274877906944

## Get-RunningVulnDrivers.ps1
$LoadedDrivers = Get-CimInstance -ClassName Win32_SystemDriver

$LoadedDrivers | % {
if ($_.PathName -ne $null) {
        # Check if the path starts with \??\ and adjust the relative path
        if ($_.PathName.StartsWith("\??\")) {
            $RelativePath = $_.PathName.Remove(0,4)
        } else {
            $RelativePath = $_.PathName
        }

## LDAPQueries.md

      
              1 file
            
          
              2 forks
            
          
              0 comments
            
          
              4 stars
            
          
                jsecurity101
                / LDAPQueries.md
            
            
              Created
              October 25, 2023 15:05
            
              
                List of known LDAP queries used by attackers
              
          
    List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

Kerberoasting

(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))


Attributes with passwords
(userpassword=*)


## gist:dc8bfc035cdaa42f87b2937dd2cef83b
enum MACRO_STATUS : __int64
{
  STATUS_WAIT_0 = 0x0,
  STATUS_SEVERITY_INFORMATIONAL = 0x1,
  STATUS_SEVERITY_WARNING = 0x2,
  STATUS_SEVERITY_ERROR = 0x3,
  STATUS_SUCCESS = 0x0,
  STATUS_WAIT_1 = 0x1,
  STATUS_WAIT_2 = 0x2,
  STATUS_WAIT_3 = 0x3,

## LOLDriverConfig.ps1
#Author: Jonathan Johnson (@jsecurity101)

function New-DriverConfig {

<#
	.EXAMPLE
    New-DriverConfig -Block
    Creates driver block config in the current directory

    .EXAMPLE

## NtfsControlFile.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jsecurity101
                / NtfsControlFile.md
            
            
              Created
              April 27, 2023 13:18
            
          
## Threat-Intelligence-Events.csv

          
            EventId
            Event Description

            
              1
              THREATINT_ALLOCVM_REMOTE

            
              2
              THREATINT_PROTECTVM_REMOTE

            
              3
              THREATINT_MAPVIEW_REMOTE

            
              4
              THREATINT_QUEUEUSERAPC_REMOTE

            
              5
              THREATINT_SETTHREADCONTEXT_REMOTE

            
              6
              THREATINT_ALLOCVM_LOCAL

            
              7
              THREATINT_PROTECTVM_LOCAL

            
              8
              THREATINT_MAPVIEW_LOCAL

            
              11
              THREATINT_READVM_LOCAL

## LogonSessionProcesses.ps1
if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
    $TypeDef = @'
 using System;
 using System.Runtime.InteropServices;
 namespace TokenInformation {
     [Flags]
     public enum ProcessAccess {
         All = 0x001FFFFF,
         Terminate = 0x00000001,
         CreateThread = 0x00000002,
	$EtwInspectorURL = "https://github.com/jsecurity101/ETWInspector/releases/download/1.0/EtwInspector.exe"
	$JonMonURL = "https://github.com/jsecurity101/JonMon/releases/download/Beta-0.01/JonMon.zip"

	$EtwInspecter = "EtwInspector.exe"
	$JonMonZIP = "JonMon.zip"

	# Download the file using Invoke-WebRequest
	Write-Output "Downloading EtwINspector..."
	Invoke-WebRequest -Uri $EtwInspectorURL -OutFile $EtwInspecter
	Write-Output "EtwInspector Downloaded"
	PS > Get-FwFilter -Key 8560068a-cb5a-4521-84cf-e1c0072dc359 \| Format-FwFilter
	Name : Custom Outbound Filter
	Action Type: Block
	Key : 8560068a-cb5a-4521-84cf-e1c0072dc359
	Id : 68421
	Description:
	Layer : FWPM_LAYER_ALE_AUTH_CONNECT_V4
	Sub Layer : FWPM_SUBLAYER_UNIVERSAL
	Flags : Persistent, Indexed
	Weight : 274877906944
	PS > Get-FwFilter -Id 68421 \| Format-FwFilter
	Name : Custom Outbound Filter
	Action Type: Block
	Key : 8560068a-cb5a-4521-84cf-e1c0072dc359
	Id : 68421
	Description:
	Layer : FWPM_LAYER_ALE_AUTH_CONNECT_V4
	Sub Layer : FWPM_SUBLAYER_UNIVERSAL
	Flags : Persistent, Indexed
	Weight : 274877906944
	$LoadedDrivers = Get-CimInstance -ClassName Win32_SystemDriver

	$LoadedDrivers \| % {
	if ($_.PathName -ne $null) {
	# Check if the path starts with \??\ and adjust the relative path
	if ($_.PathName.StartsWith("\??\")) {
	$RelativePath = $_.PathName.Remove(0,4)
	} else {
	$RelativePath = $_.PathName
	}
	enum MACRO_STATUS : __int64
	{
	STATUS_WAIT_0 = 0x0,
	STATUS_SEVERITY_INFORMATIONAL = 0x1,
	STATUS_SEVERITY_WARNING = 0x2,
	STATUS_SEVERITY_ERROR = 0x3,
	STATUS_SUCCESS = 0x0,
	STATUS_WAIT_1 = 0x1,
	STATUS_WAIT_2 = 0x2,
	STATUS_WAIT_3 = 0x3,
	#Author: Jonathan Johnson (@jsecurity101)

	function New-DriverConfig {

	<#
	.EXAMPLE
	New-DriverConfig -Block
	Creates driver block config in the current directory

	.EXAMPLE
	EventId	Event Description
	1	THREATINT_ALLOCVM_REMOTE
	2	THREATINT_PROTECTVM_REMOTE
	3	THREATINT_MAPVIEW_REMOTE
	4	THREATINT_QUEUEUSERAPC_REMOTE
	5	THREATINT_SETTHREADCONTEXT_REMOTE
	6	THREATINT_ALLOCVM_LOCAL
	7	THREATINT_PROTECTVM_LOCAL
	8	THREATINT_MAPVIEW_LOCAL
	11	THREATINT_READVM_LOCAL
	if (-not ('TokenInformation.ProcessNativeMethods' -as [type])){
	$TypeDef = @'
	using System;
	using System.Runtime.InteropServices;
	namespace TokenInformation {
	[Flags]
	public enum ProcessAccess {
	All = 0x001FFFFF,
	Terminate = 0x00000001,
	CreateThread = 0x00000002,