Dray Agha Purp1eW0lf
Purp1eW0lf
/ WinRM_Shell_Inspect.ps1
Created
February 15, 2022 23:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get-wsmaninstance -resourceuri shell -enumerate | | |
| select Name, State, Owner, ClientIP, ProcessID, MemoryUsed, | |
| @{Name = "ShellRunTime"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellRunTime)}}, | |
| @{Name = "ShellInactivity"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellInactivity)}} |
Purp1eW0lf
/ Disable_Account.ps1
Created
February 15, 2022 23:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #needs the SAMAccountName | |
| $user = "afairfax"; | |
| Disable-ADAccount -Identity "$user" -whatif # confirm this is what you want | |
| Disable-ADAccount -Identity "$user" -verbose | |
| #check it's disabled. Will return false if it is disabled. | |
| (Get-ADUser -Identity $user).enabled | |
| #re-enable the account when you're ready | |
| $user = "afairfax"; |
Purp1eW0lf
/ Sort_Prefetch.ps1
Created
February 15, 2022 23:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dir C:\Windows\Prefetch | sort LastWriteTime -desc |
Purp1eW0lf
/ Prepare_PECmd.ps1
Created
April 4, 2022 10:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| wget -usebasicparsing https://f001.backblazeb2.com/file/EricZimmermanTools/PECmd.zip -outfile PECmd.zip ; | |
| Expand-Archive ./PECmd.zip . ; | |
| ls *.exe, *.pf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gwmi win32_process | | |
| Select Name,@{n='Owner';e={$_.GetOwner().User}},CommandLine | | |
| sort Name -unique -descending | Sort Owner | | |
| ft -wrap -autosize |
Purp1eW0lf
/ Deny_MOTW_Files.ps1
Created
March 15, 2023 20:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #run as Administrator, copy/paste the below | |
| # Mount HKU | |
| mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
| # Loop through each HKU/user's HKCU, loop though each Office version and application, and implement defences | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\*\Security\").PsPath | | |
| Foreach-Object {Set-ItemProperty -path $_ -name "blockcontentexecutionfrominternet" -value 1 -Type DWord -verbose} |
Purp1eW0lf
/ Deny_OneNote_Malware.ps1
Created
March 15, 2023 20:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Run as Administrator, copy/paste the below | |
| # Mount HKU | |
| mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
| # Loop through each HKU/user's HKCU, AND deploy OneNote defences | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | | |
| Foreach-Object {New-ItemProperty -Path $_ -Name "disableembeddedfiles" -Value 1 -type DWORD -verbose}; | |
| (gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | |
Purp1eW0lf
/ Registry_Collect.ps1
Last active
April 6, 2023 22:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Meta | |
| Date: 2023 January 7th | |
| Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) | |
| Company: Huntress Labs | |
| Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. | |
| Notes: | |
| Will trigger AV as it's technically credential dumping. | |
| Also relies on having internet access, to wget TSCopy | |
| Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy |
Purp1eW0lf
/ SID_2_User.ps1
Created
April 4, 2022 10:29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gwmi win32_useraccount | | |
| select Name, SID | | |
| ? SID -match "" #insert SID between quotes |
Purp1eW0lf
/ Query_Bam.ps1
Created
April 4, 2022 10:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download and use script | |
| wget -usebasicparsing https://raw.githubusercontent.com/mgreen27/Invoke-LiveResponse/master/Content/Other/Get-BAMParser.ps1 -outfile Get-BAMParser.ps1; | |
| ./Get-BAMParser.ps1 | out-string | |
| # run and look at BAM manually | |
| reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s |
OlderNewer