Eric Capuano ecapuano
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| hello world |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hello World |
ecapuano
/ find_sus_powershell.ps1
Last active
August 14, 2025 16:23
Search for suspicious content in PowerShell transcripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on logic found here: https://gist.github.com/ecapuano/1c6bd492707114a052915e85f443a832 | |
| # Assumes default path for Transcripts (change as needed) | |
| # | |
| # https://blog.ecapuano.com | |
| # 1) Discover transcript files | |
| $transcripts = Get-ChildItem -Path C:\Users -Filter 'PowerShell_transcript*.txt' ` | |
| -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName | |
| # 2) Curated patterns |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run in Admin PowerShell prompt on Windows SIFT | |
| # Quick run: irm https://gist.githubusercontent.com/ecapuano/6f2cf1a0454f831d3db59feaab119b48/raw/hayabusa-sift.ps1 | iex | |
| # | |
| # Maintained by Eric Capuano | |
| # - https://github.com/ecapuano | |
| # - https://blog.ecapuano.com/ | |
| # - https://bsky.app/profile/eric.zip | |
| # | |
| # Huge thanks for Zach Mathis and the team behind Hayabusa: https://github.com/Yamato-Security/hayabusa |
ecapuano
/ better_event_logging.ps1
Created
March 1, 2025 17:50
A PowerShell script for installing Sysmon and enabling best-practice audit logs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ================================================ | |
| # Sysmon & Windows Event Log Configuration Script | |
| # ================================================ | |
| # Check for administrative privileges | |
| $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent() | |
| $principal = New-Object Security.Principal.WindowsPrincipal($currentUser) | |
| if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
| Write-Host "This script requires administrative privileges. Please run as an administrator." -ForegroundColor Red | |
| exit 1 |
ecapuano
/ HashMorpher.ps1
Last active
December 19, 2024 02:36
interactive tutorial to better understand the difference between static hashes and fuzzy hashes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################# | |
| # Script: HashMorpher.ps1 | |
| # Author: Eric Capuano | |
| # Source: https://blog.ecapuano.com/p/the-role-of-fuzzy-hashes-in-security | |
| # Social: https://bsky.app/profile/eric.zip | |
| ######### What is this? ######### | |
| # | |
| # This script is an interactive tutorial to better understand the difference | |
| # between static hashes and fuzzy hashes | |
| # |
ecapuano
/ share_unshare_libraries.py
Created
November 12, 2023 23:00
Share specified libraries with all Plex users
ecapuano
/ sliver_broad.yara
Last active
October 30, 2023 04:51
Inspired by NCSC UK, but modified to be much less specific. Ref: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule sliver_strings { | |
| meta: | |
| author = "Eric Capuano, inspired by NCSC UK" | |
| description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)" | |
| strings: | |
| $p1 = "/sliver/" | |
| $p2 = "sliverpb" | |
| condition: | |
| all of ($p*) | |
| } |
ecapuano
/ sliver.yara
Created
October 30, 2023 02:43
Sliver YARA Sigs painfully extracted from this damn PDF: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule sliver_github_file_paths_function_names { | |
| meta: | |
| author = "NCSC UK" | |
| description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary" | |
| strings: | |
| $p1 = "/sliver/" | |
| $p2 = "sliverpb." | |
| $fn1 = "RevToSelfReq" | |
| $fn2 = "ScreenshotReq" | |
| $fn3 = "IfconfigReq" |
ecapuano
/ Windows.Destroy.System.yaml
Created
March 1, 2023 22:54
A Velociraptor artifact that causes a Windows system to self-destruct
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Destroy.System | |
| description: | | |
| **WARNING! THIS IS HIGHLY DESTRUCTIVE!** | |
| Deletes ALL of the things. UNRECOVERABLE! | |
| First deletes sensitive areas (user profiles, event logs) then moves | |
| to wiping and zeroizing the entire C: drive. | |
| The system will ultimately fail before the process finishes, but the |
NewerOlder