SharpEventPersist – Persistence By Writing/Reading Shellcode From Event Log

Persistence by writing/reading shellcode from Event Log. Usage The SharpEventPersist tool takes 4 case-sensitive parameters: -file “C:pathtoshellcode.bin” -instanceid 1337 -source Persistence -eventlog “Key Management Service”. The shellcode is converted to hex and written to the “Key Management Service”, event level is set to “Information” and source is “Persistence”. Run the SharpEventLoader tool to fetch shellcodeRead More

Epagneul – Graph Visualization For Windows Event Logs

Epagneul is a tool to visualize and investigate windows event logs. Deployment Requires docker and docker-compose to be installed. Installing make Offline deployment On a machine connected to internet, build an offline release: make release This will create a release folder containing ready to go docker images. Copy the project to your air gapped machineRead More

WMEye – A Post Exploitation Tool That Uses WMI Event Filter And MSBuild Execution For Lateral Movement

WMEye is an experimental tool that was developed when exploring about Windows WMI. The tool is developed for performing Lateral Movement using WMI and remote MSBuild Execution. It uploads the encoded/encrypted shellcode into remote targets WMI Class Property, create an event filter that when triggered writes an MSBuild based Payload using a special WMI ClassRead More

Phant0m – Windows Event Log Killer

Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumesRead More

APT-Hunter – Threat Hunting Tool For Windows Event Logs Which Made By Purple Team Mindset To Provide Detect APT Movements Hidden In The Sea Of Windows Event Logs To Decrease The Time To Uncover Suspicious Activity

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . this tool will make a good use of the windows event logs collected and make sure to notRead More

EvtMute – Apply A Filter To The Events Being Reported By Windows Event Logging

This is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging. Usage Grap the latest verison from here. EvtMuteHook.dll contains the core functionality, once it is injected it will apply a temporary filter which will allow all events to be reported, thisRead More

DeepBlueCLI – a PowerShell Module for Threat Hunting via Windows Event Logs

DeepBlueCLI – a PowerShell Module for Threat Hunting via Windows Event Logs Eric Conrad, Backshore Communications, LLC deepblue at backshore dot net Twitter: @eric_conrad http://ericconrad.com Sample evtx files are in the .evtx directory Usage: .DeepBlue.ps1 <event log name> <evtx filename> See the Set-ExecutionPolicy Readme if you receive a ‘running scripts is disabled on this system’Read More

Commit Stream – OSINT Tool For Finding Github Repositories By Extracting Commit Logs In Real Time From The Github Event API

commit-stream drinks commit logs from the Github event firehose exposing the author details (name and email address) associated with Github repositories in real time.OSINT / Recon uses for Redteamers / Bug bounty hunters: Uncover repositories which employees of a target company is commiting code (filter by email domain) Identify repositories belonging to an individual (filterRead More

X