Dray Agha Purp1eW0lf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gwmi win32_process | | |
| Select Name,@{n='Owner';e={$_.GetOwner().User}},CommandLine | | |
| sort Name -unique -descending | Sort Owner | | |
| ft -wrap -autosize |
Purp1eW0lf
/ WinRM_Shell_Inspect.ps1
Created
February 15, 2022 23:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get-wsmaninstance -resourceuri shell -enumerate | | |
| select Name, State, Owner, ClientIP, ProcessID, MemoryUsed, | |
| @{Name = "ShellRunTime"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellRunTime)}}, | |
| @{Name = "ShellInactivity"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellInactivity)}} |
Purp1eW0lf
/ Disable_Account.ps1
Created
February 15, 2022 23:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #needs the SAMAccountName | |
| $user = "afairfax"; | |
| Disable-ADAccount -Identity "$user" -whatif # confirm this is what you want | |
| Disable-ADAccount -Identity "$user" -verbose | |
| #check it's disabled. Will return false if it is disabled. | |
| (Get-ADUser -Identity $user).enabled | |
| #re-enable the account when you're ready | |
| $user = "afairfax"; |
Purp1eW0lf
/ Sort_Prefetch.ps1
Created
February 15, 2022 23:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dir C:\Windows\Prefetch | sort LastWriteTime -desc |
Purp1eW0lf
/ Rotate_Passwd.ps1
Created
February 15, 2022 23:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $user = "erochester" ; | |
| $newPass = "[New-Password-Please]"; | |
| #Change password twice. | |
| #First can be junk password, second time can be real new password | |
| Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "6;wB3yj9cI8X" -Force) -verbose | |
| Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force) -verbose | |
| #If the machine is not connected to AD, or account is a local one use this instead |
Purp1eW0lf
/ remove_user_from_group.ps1
Created
February 15, 2022 23:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remove-adgroupmember -identity Administrators -members "erochester" -verbose -confirm:$false |
Purp1eW0lf
/ rdp_log_investigate.ps1
Created
February 15, 2022 23:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get-winevent -logname "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | | |
| ? id -match 1149 | | |
| sort Time* -descending | | |
| fl time*, message |
Purp1eW0lf
/ Terminate_RDP.ps1
Created
February 15, 2022 23:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #show the users' session | |
| qwinsta | |
| #target their session id | |
| logoff 3 /v |
Purp1eW0lf
/ Pull_logs_and_zip.ps1
Created
February 17, 2022 00:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| # Set variables | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| $basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
| $remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
Purp1eW0lf
/ Sysmon_Lab.ps1
Last active
October 6, 2023 13:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2022 March 28th | |
| Updated: 2023 October 6th | |
| Authors: Dray Agha (Twitter @purp1ew0lf), Dipo Rodipe (Twitter @dipotwb) | |
| Company: Huntress Labs | |
| Purpose: Automate setting up Sysmon and pulling Ippsec's sysmon IoC streamliner. Great for malware lab. | |
| #> | |
| ################################################################################################################ |
OlderNewer