This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
get-wsmaninstance -resourceuri shell -enumerate | | |
select Name, State, Owner, ClientIP, ProcessID, MemoryUsed, | |
@{Name = "ShellRunTime"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellRunTime)}}, | |
@{Name = "ShellInactivity"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellInactivity)}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#needs the SAMAccountName | |
$user = "afairfax"; | |
Disable-ADAccount -Identity "$user" -whatif # confirm this is what you want | |
Disable-ADAccount -Identity "$user" -verbose | |
#check it's disabled. Will return false if it is disabled. | |
(Get-ADUser -Identity $user).enabled | |
#re-enable the account when you're ready | |
$user = "afairfax"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dir C:\Windows\Prefetch | sort LastWriteTime -desc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wget -usebasicparsing https://f001.backblazeb2.com/file/EricZimmermanTools/PECmd.zip -outfile PECmd.zip ; | |
Expand-Archive ./PECmd.zip . ; | |
ls *.exe, *.pf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gwmi win32_process | | |
Select Name,@{n='Owner';e={$_.GetOwner().User}},CommandLine | | |
sort Name -unique -descending | Sort Owner | | |
ft -wrap -autosize |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#run as Administrator, copy/paste the below | |
# Mount HKU | |
mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
# Loop through each HKU/user's HKCU, loop though each Office version and application, and implement defences | |
(gci -path "HKU:\*\Software\Microsoft\Office\*\*\Security\").PsPath | | |
Foreach-Object {Set-ItemProperty -path $_ -name "blockcontentexecutionfrominternet" -value 1 -Type DWord -verbose} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Run as Administrator, copy/paste the below | |
# Mount HKU | |
mount -PSProvider Registry -Name HKU -Root HKEY_USERS; | |
# Loop through each HKU/user's HKCU, AND deploy OneNote defences | |
(gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | | |
Foreach-Object {New-ItemProperty -Path $_ -Name "disableembeddedfiles" -Value 1 -type DWORD -verbose}; | |
(gci -path "HKU:\*\Software\Microsoft\Office\*\OneNote\Options\").PsPath | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Meta | |
Date: 2023 January 7th | |
Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) | |
Company: Huntress Labs | |
Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. | |
Notes: | |
Will trigger AV as it's technically credential dumping. | |
Also relies on having internet access, to wget TSCopy | |
Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gwmi win32_useraccount | | |
select Name, SID | | |
? SID -match "" #insert SID between quotes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Download and use script | |
wget -usebasicparsing https://raw.githubusercontent.com/mgreen27/Invoke-LiveResponse/master/Content/Other/Get-BAMParser.ps1 -outfile Get-BAMParser.ps1; | |
./Get-BAMParser.ps1 | out-string | |
# run and look at BAM manually | |
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s |
OlderNewer