Mark Hallman mark-hallman
mark-hallman
/ A_Few_RECmd_Batch_Examples.txt
Last active
March 5, 2026 01:14
RECmd Batch File Examples
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Here are a few RECmd barch file exmaples. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Example of using new --tvars cli option in the just released KAPE 0.9.0.0. | |
| kape --tsource f:\C\ --tdest g:\tmp\kape_out\tdest --target EventLogs --tvars eventlog:OAlerts --tflush | |
| Gets you the single OAlerts.evtx event log | |
| kape --tsource f:\C\ --tdest g:\tmp\kape_out\tdest --target EventLogs --tflush | |
| Gets you all event logs just like the the old target produced. |
mark-hallman
/ DisableDefender.ps1
Created
January 27, 2020 02:19
This script will completely disbale Windows Defender including related Service.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-Item -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\" | New-ItemProperty -Name DisableAntiSpyware -Value 1 |
mark-hallman
/ Prevent-WinDefendService-AtBoot.ps1
Created
December 28, 2019 21:29
Stop the "Windows Defender Antivirus Service" from running at startup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-Item -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\" | New-ItemProperty -Name DisableAntiSpyware -Value 1 |
mark-hallman
/ Process-EventLogs.ps1
Last active
April 9, 2020 17:16
Extract a specific list of event logs and process those event logs with evtxecmd.exe using a specific list of event IDs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .DESCRIPTION | |
| This script is to facilitate processing only relevant event logs with EvtxECmd. EvtxECmd can | |
| only process one file at a time with the "-f" switch or a directory of event logs with | |
| the "-d" switch. An example list of relevant event logs are contained in the EntLogs2Process.txt file. | |
| The initial list include the event logs discussed in SANS FOR508. Once the event logs are copied to the | |
| directory you provide on the cli, the script will process the event logs with EvtxECmd using the "-inc" | |
| option to process only the event_ids provided in the $event_id variable. This variable is initially | |
| populated with the event_ids dicussed in SANS FOR508. |
mark-hallman
/ EventLogs2Process.txt
Last active
January 29, 2026 04:12
This script is to facilitate processing only relevant event logs with Eric Zimmerman's EvtxECmd.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| APPLICATION.evtx | |
| Microsoft-Windows-PowerShell%4Operational.evtx | |
| Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx | |
| Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx | |
| Microsoft-Windows-SmbClient%4Security.evtx | |
| Microsoft-Windows-TaskScheduler%4Maintenance.evtx | |
| Microsoft-Windows-TaskScheduler%4Operational.evtx | |
| Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx | |
| Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx | |
| Microsoft-Windows-WinRM%4Operational.evtx |
mark-hallman
/ configure_windows_remoting.txt
Last active
March 29, 2023 13:08
Configure Windows Remoting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Set network to private | |
| Get-NetConnectionProfile | |
| Set-NetConnectionProfile -InterfaceIndex <index number> -NetworkCategory Private | |
| # To Turn Off Firewall & AV: | |
| NetSh Advfirewall set allprofiles state off | |
| #Enabling PowerShell Remoting | |
| Enable-PSRemoting -SkipNetworkProfileCheck -Force | |
| Test-WSMan -ComputerName SRV1 |
mark-hallman
/ update_kape_bin.bat
Created
April 25, 2019 12:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################## | |
| # Script from Jerod Alexander to update /kape/module/bin files | |
| ############################## | |
| @echo off | |
| cd "C:\Forensic Program Files\Zimmerman" | |
| powershell .\Get-ZimmermanTools.ps1 | |
| cd C:\KAPE | |
| powershell .\Get-KAPEUpdate.ps1 | |
| kape.exe --sync | |
| robocopy "C:\Forensic Program Files\" C:\KAPE\Modules\bin *.exe /v /copy:dat /w:1 /r:1 |
mark-hallman
/ gist:e970ac6b69550099d9e8154f04da9269
Created
April 23, 2019 20:56
Script from to update /kape/module/bin files from latest Zimmerman Tools exe's
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################## | |
| # Script from Jerod Alexander to update /kape/module/bin files | |
| ############################## | |
| @echo off | |
| cd "C:\Forensic Program Files\Zimmerman" | |
| powershell .\Get-ZimmermanTools.ps1 | |
| cd C:\KAPE | |
| powershell .\Get-KAPEUpdate.ps1 | |
| kape.exe --sync | |
| robocopy "C:\Forensic Program Files\" C:\KAPE\Modules\bin *.exe /v /copy:dat /w:1 /r:1 |
mark-hallman
/ l2tcsv.conf
Last active
June 18, 2020 17:07
logstash config file for Plaso psort l2tcsv output format
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Please check https://github.com/cvandeplas/ELK-forensics for more information. | |
| # Created by Christophe Vandeplas <christophe@vandeplas.com> | |
| # Import a mactime output file to your Elasticsearch database. | |
| # | |
| # Do note that Plaso can export directly to Elasticsearch. | |
| # Have a look at the plaso.conf file in this repository. | |
| # | |
| # To generate the mactime file using the CSV output: | |
| # - first generate the dump file with 'log2timeline.py' from Plaso |
NewerOlder