DumpMDEConfig – Extracting Microsoft Defender Configuration And Logs With PowerShell Script

Invoke-DumpMDEConfig is a PowerShell script designed to extract and display Microsoft Defender configuration and logs, including excluded paths, enabled ASR rules, allowed threats, protection history, and Exploit Guard protection history. The script provides options to output the data in a table or CSV format.

Usage

# To run the script and output the results in list format:
Invoke-DumpMDEConfig

# To run the script and output the results in table format:
Invoke-DumpMDEConfig -TableOutput

# To run the script and output the results in CSV format:
Invoke-DumpMDEConfig -CSVOutput

# To specify a custom file for table output:
Invoke-DumpMDEConfig -TableOutput -TableOutputFile "CustomFile.txt"

Phishing Engagement Infrastructure Setup Guide

The essential steps and strategies for setting up a robust phishing engagement infrastructure.

From acquiring and categorizing domains to automating your phishing efforts, this article provides practical insights and resources for building effective phishing campaigns.

We also delve into innovative methods for email delivery that bypass common security filters, ensuring your phishing emails reach their intended targets.

Whether you’re a cybersecurity professional or a red team member, these techniques will enhance your phishing capabilities.

Blogs/Talks

Red Team/Phishing Infra Automation

Domain Purchase And Categorization Techniques

For more information click here.

Detection Lab – A Comprehensive Overview Of Its Features, Documentation, And Legacy

This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations.

It can easily be modified to fit most needs or expanded to include additional hosts.

Read more about Detection Lab on Medium

NOTE: This lab has not been hardened in any way and runs with default vagrant credentials.

Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Primary Lab Features:

  • Microsoft Advanced Threat Analytics is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • A Splunk forwarder is pre-installed and all indexes are pre-created. Technology add-ons are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir’s Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir’s osquery Configuration
  • Sysmon is installed and configured using Olaf Hartong’s open-sourced Sysmon configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • Zeek and Suricata are pre-configured to monitor and alert on network traffic
  • Apache Guacamole is installed to easily access all hosts from your local browser

For more information click here.

Kupa3 – Script Dependencies And Domain Connections On Websites

Kupa3 allows you to draw connections between scripts on specific website. It search for javascript code or source attribute, in html code, and crawls it in order to draw a dependency graph.

This approach can help bug hunters to discover subdomains and examine javascript calls, OSINT researchers to check what companies are connected to each other or for tracking advertisement companies.

At the end, graph is saved in gexf format for exploring it in Gephi.

Requirements

  • Python 3
  • BeautifulSoup
  • NetworkX
  • Matplotlib
pip3 install -r requirements.txt

Usage

root@kali:~# python kupa3.py -h

           (                 ,&&&.
            )                .,.&&
           (  (              \=__/
               )             ,'-'.
         (    (  ,,      _.__|/ /|
          ) /\ -((------((_|___/ |
        (  // | (`'      ((  `'--|
      _ -.;_/ \--._      \ \-._/.
     (_;-// | \ \-'.\    <_,\_\`--'|
     ( `.__ _  ___,')      <_,-'__,'
jrei  `'(_ )_)(_)_)' asciiart.eu

Tracking the trackers. Draw connections between scripts and domains on website.
medium.com/@woj_ciech github.com/woj-ciech
example: python3 kupa3.py https://nsa.gov

usage: kupa3.py [-h] [--url URL]

optional arguments:
  -h, --help  show this help message and exit
  --url URL   URL of website (default: https://nsa.gov)

Whapa – Comprehensive Guide To The WhatsApp Forensic Toolset

In the digital age, forensic analysis of messaging applications like WhatsApp is crucial for both security and investigative purposes.

‘Whapa’ offers a sophisticated suite of tools designed to parse and analyze WhatsApp data on Android and iOS devices.

Developed with Python and supported on multiple operating systems, Whapa enhances forensic capabilities with its robust features and compatibility.

Whatsapp Parser Toolset

Updated: May 2022

WhatsApp Messenger Version 2.21.9.14

Whapa is a set of graphical forensic tools to analyze whatsapp from Android and soon iOS devices. All the tools have been written in Python 3.8 and have been tested on linux, windows and macOS systems.

Note: Whapa provides 10x more performance and fewer bugs on linux systems than on windows.

Whapa is included as standard in distributions such as Tsurugi Linux (Digital Forensics) and BlackArch Linux (Penetration Testing).

Whapa toolset is divided in five tools:

Android

  • Whapa (Whatsapp Parser)(Only working with old database, Working in Progress…)
  • Whacipher (Whatsapp Encryption/Decryption) *** Not support Crypt15 ***
  • Whagodri (Whataspp Google Drive Extractor)
  • Whamerge (Whatsapp Merger) (Only working with old database, Working in Progress…)
  • Whachat (Whatsapp Chat Exporter)

IPhone

  • Whacloud (Whatsapp ICloud Extractor) (Not working)
  • Whachat (Whatsapp Chat Exporter)

Do you like this project? Support it by donating

Installation

You can download the latest version of whapa by cloning the GitHub repository:

git clone https://github.com/B16f00t/whapa.git && cd whapa

then (Linux or macOS):

pip3 install --upgrade -r ./doc/requirements.txt

or (Windows):

pip install --upgrade -r .\doc\requirements.txt

Start

if you use Linux system:

python3 whapa-gui.py

if you use Windows system:

python whapa-gui.py
or 
click on whapa-gui.bat

For more information click here.

iOS Frequent Locations Dumper – A Comprehensive Guide To Extracting Location Data

A powerful tool designed to extract and decode location data stored on iOS devices.

By accessing the StateModel#.archive files, users can effectively dump location data into various formats, including KML and CSV.

This guide provides a detailed walkthrough on using the script, along with necessary dependencies and usage examples to get started.

Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/

Usage:

python dump_freq_locs.py -output {k, c, e} <StateModel#.archive>

Output Options:

  • k – KML
  • c – CSV
  • e – Everything (KML & CSV)

Dependencies:

Sample Output:

sample_dump_freq_locs.txt – Sample script output

The Docker Forensics Toolkit : A Comprehensive Guide For Post-Mortem Analysis

This repo contains a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.

Features

  • mount-image Mounts the forensic image of the docker host
  • status Prints status information about the container runtime
  • list-images Prints images found on the computer
  • show-image-history Displays the build history of an image
  • show-image-config Pretty prints the full config file of an image
  • list-containers Prints containers found on the computer
  • show-container-log Displays the latest container logfiles
  • show-container-config Pretty prints the combined container specific config files (config.v2.json and hostconfig.json).
  • mount-container Mounts the file system of a given container at the given location (overlay2 only)
  • macrobber-container-layer Extracts file system metadata from the container layer of the given container. Use the output with the ‘mactime’ tool to create a timeline.
  • macrobber-volumes Extracts file system metadata from the volumes of the given container. Use the output with the ‘mactime’ tool to create a timeline.
  • carve-for-deleted-docker-files Carves the image for deleted Docker files, such as container configs,Dockerfiles and deleted log files. Requires ‘scalpel’ to be installed.

See usage.md for a tour of the features.

Development

git-lfs is required to check out this repository. Use whatever editor you like.

Testing

Testing this tool in integration with a real Docker host image is complicated because:

  • Mounting images typically requires root permissions
  • Tests need to be executed as root to be able to read files owned by root on the Docker Host file system

Therefore there are two ways to test this tool: one with a real docker Host Image and one with a temporary folder containing select files from a Docker Host image (created by running the create_zipfile_from_testimage.py script. For local development it’s recommended to use the first way while CI may use the latter.

Coverage

For a code coverage report run:

pytest --cov-report term-missing --cov=src tests/

Testing with a real Docker Host Image

  1. Mount the Docker Host image by running:sudo python src/dof/main.py mount-image testimages/alpine-host/output-virtualbox-iso/packer-virtualbox-iso-*-disk001.vmdk.raw

Note the mountpoint of the root Partition in the output:

Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2.
  1. Run the pytest command as root with the image-mountpoint as parametersudo pytest –image-mountpoint=/tmp/test-4-root-2

Holehe Maltego Transform – Your Tool For Digital Investigation And Information Gathering

holehe allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function.

In the evolving landscape of online intelligence, the Holehe Maltego Transform emerges as a pivotal tool for digital investigators.

Designed to reveal how email addresses are used across various platforms, Holehe leverages the forgotten password features on sites like Twitter and Instagram to gather crucial data.

This article delves into the functionalities and installation of Holehe, strictly for educational purposes, emphasizing its integration within the Maltego framework to enhance open-source intelligence (OSINT) capabilities.

Discover how Holehe can transform your investigative processes and data collection methods.

For The Installation Check The wiki

Example

Holehe OSINT – Email To Registered Accounts

Holehe checks if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others.

Installation

With PyPI

pip3 install holehe

With Github

git clone https://github.com/megadose/holehe.git
cd holehe/
python3 setup.py install

With Docker

docker build . -t my-holehe-image
docker run my-holehe-image holehe test@gmail.com

Quick Start

Holehe can be run from the CLI and rapidly embedded within existing python applications.

CLI Example

holehe test@gmail.com

Python Example

import trio
import httpx

from holehe.modules.social_media.snapchat import snapchat


async def main():
    email = "test@gmail.com"
    out = []
    client = httpx.AsyncClient()

    await snapchat(email, client, out)

    print(out)
    await client.aclose()

trio.run(main)

For more information click here.

Telegram Trilateration – Exploring The Risks

It took them over a YEAR to realize their mistake but they FINALLY lowered the accuracy of the “People Nearby” function.

Or it might be that the huge sudden outburst of negativity from Russian and Ukrainian media has finally made them come to senses.

Either way, when you run the function now, you will only see results of 500m1km2km, etc. I have little faith left in Telegram when it comes to privacy and taking issues seriously.

This repository will stay online, but be adviced that none of the data collection methods in here will work as expected.

Some Posts About This Repository:

[UA] (Focus.ua) Вирахують навіть президента: Telegram дозволяє дізнатися координати людей із точністю до метра

[RU] (CNews.ru) Telegram превратился в легальное средство слежки за передвижениями пользователей

[RU] (Habr.com) Telegram позволяет узнавать координаты людей с точностью до метра

[EN] (OS2INT.com) APPLYING EFFECTIVE OSINT TO GEO-MONITOR RUSSIAN MILITARY ACTIVITY


UPDATE: API method

Turns out Telegram offers the possibility to request people nearby using their API. This means what the entirety of the “Scraping” section in this repository became obsolete… Sigh…

Doing this requires about ~30 lines of code, instead of the spaghetti mountain I created by making an entire OPTICAL OCR SCRAPER AND PARSER… What was I thinking anyway?

TL;DR: I made a new script that can do the same thing, only much better and more stable.


Disclaimer

I have tried reaching out to Telegram via email. (Feb 22th 2021)
After more than 1 month of no reply, I decided to open up this repository.

I AM NOT ACCOUNTABLE FOR ANY DAMAGE OR ILLEGAL ACTIVITY DONE BY END USERS! USE AT YOUR OWN RISK AND DISCRETION!

A while back, Telegram rolled out a new (Opt-in) feature which allows users to find people and groupchats close to their location.

This “Feature” allows you to see the relative distance between you and a user in meters! By abusing that data we are able to pinpoint someone’s general location.

For more information click here.