SharpEventPersist – Persistence By Writing/Reading Shellcode From Event Log

Persistence by writing/reading shellcode from Event Log. Usage The SharpEventPersist tool takes 4 case-sensitive parameters: -file “C:pathtoshellcode.bin” -instanceid 1337 -source Persistence -eventlog “Key Management Service”. The shellcode is converted to hex and written to the “Key Management Service”, event level is set to “Information” and source is “Persistence”. Run the SharpEventLoader tool to fetch shellcodeRead More

Phant0m – Windows Event Log Killer

Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumesRead More

Whatfiles – Log What Files Are Accessed By Any Linux Process

Whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well. Rationale: I’ve long been frustrated at the lack of a simple utility to see which files a process touches from main() to exit. WhetherRead More

pwnSpoof – Generates realistic spoofed log files for common web servers with customisable attack scenarios

pwnSpoof (from Punk Security) generates realistic spoofed log files for common web servers with customisable attack scenarios. Every log bundle is unique and completely customisable, making it perfect for generating CTF scenarios and for training serials. Can you find the attacker session and build the incident picture?   About The Project pwnSpoof was created onRead More

DFIR-O365RC – PowerShell Module For Office 365 And Azure AD Log Collection

PowerShell module for Office 365 and Azure AD log collection Module description The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations. The logs are generated in JSON format and retrieved from two main data sources: Office 365 Unified AuditRead More