Own tools

Purpose: Live Process Monitor is a Windows GUI tool designed for baseline-driven endpoint process and network monitoring. It allows the user to create a snapshot baseline of running processes and their network activity, and then transition into continuous post-baseline monitoring to identify new processes, terminated processes, and changes in TCP and UDP network connections. Unlike tools that display only momentary live activity, Live Process Monitor does not discard post-baseline observations over time. All post-baseline process and network activity is continuously collected, retained, and presented as an auditing history, allowing the user to review the full sequence of changes without losing important context. The tool correlates process metadata, command lines, executable hashes, and live network endpoints in a single unified view to support incident response, malware analysis, and live endpoint triage.

Design principles:

1. Baseline-first approach, where all activity observed during baseline creation is treated as trusted reference state.
2. Post-baseline monitoring that highlights only newly introduced or changed processes while preserving historical visibility.
3. Session-based evidence retention, where processes and connections remain visible even after termination for investigative review.

Baseline-driven monitoring model:

1. This tool operates in two distinct phases: baseline creation and post-baseline monitoring.
2. Baseline data represents the initial known system state and is visually separated from post-baseline activity.
3. Post-baseline monitoring highlights only newly observed processes and network connections after baseline completion.
4. This design allows rapid visual identification of suspicious or unexpected activity without prior system knowledge.
5. All collected data exists only in memory for the current session unless explicitly exported by the user.

What the application does:

1. Creates a baseline snapshot of running processes using Windows-native mechanisms (WMI and system APIs).
2. Collects detailed process metadata, including parent-child relationships, executable paths, command lines, and SHA-256 file hashes.
3. Monitors process lifecycle events in real time, including process start and process termination.
4. Enumerates active TCP and UDP network endpoints and correlates them with owning processes (PID-based ownership).
5. Tracks network connection history per process, including first seen time, last seen time, and end time for TCP connections.
6. Performs optional reverse DNS resolution for public remote IP addresses to provide basic contextual information.

Purpose: Live Process Monitor Plus extends the baseline-driven monitoring model by correlating native Windows telemetry with optional Sysmon event data, providing deeper timeline visibility while preserving the same workflow and user interface principles.

Sysmon-based enrichment (optional):

When Sysmon is installed, running, and properly configured, Live Process Monitor Plus enriches process and network data with additional low-level telemetry:

1. Correlates Sysmon Event ID 1 (Process creation) with existing process rows.
2. Correlates Sysmon Event ID 5 (Process terminated) to record precise termination times.
3. Correlates Sysmon Event ID 3 (Network connection detected) with existing or newly observed network connections.
4. Displays all observed Sysmon Event IDs (1, 3, 5) per process in a dedicated column.
5. Adds explicit Sysmon-based timestamps for process creation and termination.

To enable Sysmon-based enrichment features in Live Process Monitor Plus, Sysmon must be installed, running, and configured with a compatible configuration file that enables logging of Sysmon Event ID 1, 3, and 5.
SysmonConfigurator.exe can be used to configure Sysmon automatically.

Purpose: Active Endpoint Hash & IP Inspector is a Windows GUI suite that bundles five endpoint inspection modules into a single tabbed application. It is designed for rapid baseline creation and follow-up threat hunting by combining local endpoint inspection with optional reputation enrichment using VirusTotal and AbuseIPDB.

Important notice – external reputation APIs:

1. This application optionally integrates with third-party reputation services (VirusTotal and AbuseIPDB) to enrich collected artifacts with contextual intelligence.
2. On first launch, the application displays mandatory notice dialogs explaining API usage limits, licensing constraints, and acceptable use conditions.
3. Users must explicitly accept these notices to proceed. Declining acceptance prevents the application from running.
4. By accepting the notices, users confirm that they understand applicable API limits, are authorized to use the provided API keys, and accept full responsibility for how the tool and integrated services are used.
5. Reputation lookups are optional. When API keys are not provided, all inspection modules remain fully functional and only the final reputation-related columns remain unpopulated.

Note: Users are responsible for ensuring compliance with the current Terms of Service of VirusTotal and AbuseIPDB. API limits, licensing conditions, and policies may change over time.

Application structure:

ActiveEndpointHashIPInspectorv1.1.exe is the main application and unified entry point for the entire toolkit.
The application hosts five endpoint inspection modules inside a single TabControl interface. Each module is implemented as a dedicated UserControl and embedded as a tab.
The main application itself does not perform scanning logic. Its responsibilities include:

1. hosting and orchestrating modules,
2. presenting a unified user interface,
3. enforcing startup notices and responsibility acceptance,
4. handling optional API key input for the current session,
5. and providing a consistent operational workflow across all modules.

User experience:

1. All inspection capabilities are presented within a single integrated GUI, allowing analysts to switch between endpoint perspectives without launching multiple executables.
2. Each hosted module follows a consistent operational model:
• baseline-oriented scanning,
• pause and resume for long-running reputation lookups,
• tab-specific Skip modes for new-artifact-only detection,
• and CSV export functionality implemented within each module.
3. The application provides a uniform look, feel, and control layout across all modules to reduce analyst cognitive load during investigations.

Summary: ActiveEndpointHashIPInspectorv1.1.exe is the wrapper and orchestrator for a five-module Windows endpoint inspection toolkit. It provides a single unified UI, enforces responsible API usage, manages optional session-based keys, and embeds individual inspection modules as tabs to support baseline-driven endpoint analysis and threat hunting.

Purpose: Active SHA-256 Hash Checker is a Windows GUI tool designed for quick endpoint triage of currently running processes. It enumerates live processes, computes SHA-256 hashes of their executable files on disk, and optionally enriches those hashes with VirusTotal reputation data to support baseline creation and follow-up threat hunting.

User interface and displayed data:

The application presents a table with the following columns:

• PID
• Process Name (normalized to display with .exe suffix)
• Process Path
• Process SHA-256 Hash
• VirusTotal Detection Summary

Purpose: Active Public IP Checker is a Windows GUI tool designed for endpoint network triage. It enumerates active TCP connections, filters out non-public remote endpoints, correlates each connection with the owning process, and optionally enriches public IP addresses with reputation data from AbuseIPDB to support baseline creation and follow-up threat hunting.

User interface and displayed data:

The application presents a live-updating table with the following columns:

• Public IP Address
• IP Location
• Source Port
• Destination Port
• Protocol
• Connection State
• PID
• Process Name
• Process Path
• AbuseIPDB Reputation Summary

Purpose: Service Hash Checker is a Windows GUI tool designed for service-based endpoint triage. It inventories Windows services, extracts executable paths and command lines, computes SHA-256 hashes of service binaries on disk, and optionally enriches those hashes with VirusTotal detection summaries to support baseline creation and persistence-focused threat hunting.

User interface and displayed data:

The application presents a live-updating table with the following columns:

• Service Name
• Status
• Startup Type
• Executable Path
• Executable File Name
• Executable Command Line
• Executable File SHA-256 Hash
• VirusTotal Detection Summary

Purpose: Scheduled Task Hash Checker is a Windows GUI tool designed for persistence analysis and threat hunting focused on Windows Scheduled Tasks. It enumerates scheduled tasks, expands them into individual task actions, computes SHA-256 hashes of action executables, and optionally enriches those hashes with VirusTotal detection summaries to support baseline creation and detection of newly introduced persistence.

User interface and displayed data:

The application presents a live-updating table with the following columns:

• Scheduled Task Name
• Task Triggers
• Task Action Type
• Action File Path
• Action File Name
• Action Command Line
• Action File SHA-256 Hash
• VirusTotal Detection Summary

Purpose: Autostart Hash Checker is a Windows GUI tool designed for persistence triage and threat hunting. It aggregates common Windows autostart mechanisms, resolves the executables behind each entry, computes SHA-256 hashes of those files, and optionally enriches results with VirusTotal detection summaries to support baseline creation and detection of newly introduced persistence.

User interface and displayed data:

The application presents a live-updating table with the following columns:

• Persistence Method
• Source Location
• Startup Trigger
• Scope
• Target Path
• Entry or File Name
• Details (for example: command line)
• Target SHA-256 Hash
• VirusTotal Detection Summary

Purpose: A Windows tool designed for SOC labs and controlled test environments, for disabling 16 Windows Defender components (9 functional protection components and 7 services/drivers) to support malware research, detection engineering, and blue team training.

Important notice:

1. This tool modifies security-critical Windows Defender configuration by applying registry- and service-level enforcement intended exclusively for isolated SOC labs and controlled test environments.
2. Improper use in a production environment, enterprise network, or unmanaged system may significantly reduce system security, expose the host to malware, or violate organizational security policies.
3. Execution of this tool must be explicitly approved by the system owner or an authorized administrator. Use on systems without proper authorization or outside of controlled testing scenarios is strongly discouraged.
4. Operation of this tool requires full understanding of its impact and full responsibility for its use.
5. This tool must never be deployed on production systems, end-user workstations, or environments where security controls are required to remain active.

The application performs the following functions:

1. runs as a Windows utility intended for isolated lab environments and requires administrator privileges;
2. disables Windows Defender by applying policy-level registry changes affecting 9 functional protection components, including real-time monitoring, behavior monitoring, cloud reporting, scanning features, and exploit guard controls;
3. disables 7 Defender-related services and drivers by modifying their startup configuration at the system level;
4. ensures persistence of the disabled state by creating and executing a scheduled task running as SYSTEM with multiple triggers, including system boot, user logon, and periodic execution, to ensure Windows Defender remains disabled and does not automatically re-enable itself over time;
5. copies itself to a fixed system location and executes from there to ensure consistent task execution;
6. appends a single timestamped entry on each execution, including executions at system boot, at user logon, and multiple times per day (separate time triggers – effectively hourly), to a shared log file, recording Windows Defender disable operations and providing a simple audit trail;
7. displays an informational pop-up notification only on first execution when the scheduled task is created.

Purpose: A Windows tool designed for SOC labs and controlled test environments, for enabling 16 Windows Defender components (9 functional protection components and 7 services/drivers) to support malware research, detection engineering, and blue team training.

The application performs the following functions:

1. runs as a Windows utility intended for restoring Windows Defender functionality in lab environments and requires administrator privileges;
2. removes policy-level registry values used to disable Defender functional protection components;
3. restores startup configuration for Defender-related services and drivers, re-enabling them to their default automatic state;
4. deletes the scheduled task responsible for enforcing Defender disable persistence;
5. appends a single timestamped entry per execution to the same shared log file used by the disabler, explicitly recording that Windows Defender was enabled and maintaining continuity of auditing;
6. displays an informational pop-up notification only when the disabling scheduled task existed and was successfully removed.

Purpose: A Windows tool designed for SOC labs and controlled test environments, providing automated TLS key logging setup for encrypted web traffic analysis.

Important notice:

1. This tool configures TLS key logging and Wireshark preferences, enabling decryption and inspection of encrypted web traffic for analysis purposes.
2. When misused, TLS key logging may allow sensitive or private communications to be decrypted and inspected, potentially violating privacy, confidentiality, or organizational security policies.
3. Execution of this tool must be explicitly approved by the system owner or an authorized administrator, and its use must comply with applicable laws, internal policies, and scope of authorization.
4. This tool is intended exclusively for SOC labs, controlled test environments, and authorized forensic or training scenarios.
5. Operation of this tool requires full understanding of its impact and full responsibility for its use, particularly when handling decrypted network traffic.

Prerequisite:

1. Wireshark must be installed on the system for TLS traffic decryption to be usable; the tool configures TLS key logging and Wireshark preferences but does not install Wireshark itself.

The application performs the following functions:

1. runs as a console application that performs user-level TLS key logging configuration and Wireshark preference updates; it is recommended to run the tool as an administrator to ensure successful execution policy adjustment for the current process;
2. automates the setup of TLS key logging on Windows by creating a dedicated key log directory and file and configuring the SSLKEYLOGFILE user environment variable;
3. updates Wireshark preferences to enable TLS session decryption using the configured key log file;
4. provides a detailed status view showing Wireshark installation detection, key log file existence and size (bytes, KB, MB), environment variable state (user and session), and Wireshark TLS configuration status;
5. supports safe configuration (no overwrite) and forced configuration modes, with optional backup creation of existing key log files and graceful handling of locked files;
6. logs all actions to a transcript file stored on the user’s desktop, enabling auditing and repeatability in forensic and SOC training environments.

Purpose: This script continuously monitors a specified file for changes and copies it to the user’s desktop when modifications occur.

License: Free for personal and commercial use.

Purpose: This script is designed to monitor a specified directory for changes and copy its contents to another directory continuously.

License: Free for personal and commercial use.

Purpose: The script monitors a specified directory for file system changes, logging them and providing real-time notifications.

License: Free for personal and commercial use.

Purpose: FileWatcherWithExactTimestamps is an updated version of FileWatcher that provides exact timestamps in milliseconds, unlike FileWatcher, which provides timestamps in seconds.

License: Free for personal and commercial use.

Purpose: Advanced USB write blocker (a tool that prevents data from being written to USB devices to protect their original content) with auditing and educational module, enabling, disabling, and monitoring the Write Protection mechanism while recommending proper methods of digital evidence acquisition and preservation.

License: Free for personal and commercial use.