Skip to content

Instantly share code, notes, and snippets.

[Parameter(Mandatory, Position = 0)]
[Parameter(Mandatory, Position = 1)]
# Script to map a host drive inside a Windows Docker Server Container
# You need to be an admin in the container for this to work.
# Use as .\map_host_drive C: X:
mgraeber-rc / EventDiff.ps1
Created May 28, 2021 14:45
Display only new event log events - I refer to this as event log differential analysis
# Log the time prior to executing the action.
# This will be used as parth of an event log XPath filter.
$DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime(), [System.Xml.XmlDateTimeSerializationMode]::Utc)
# Do the thing now that you want to see potential relevant events surface...
$null = Mount-DiskImage -ImagePath "$PWD\FeelTheBurn.iso" -StorageType ISO -Access ReadOnly
# Allow a moment to allow events to populate
Start-Sleep -Seconds 5
mgraeber-rc / powershell_structured_query.xml
Created March 16, 2021 17:33
Example custom event view I used to display only relevant PowerShell logs for a demo
<Query Id="0" Path="Security">
<Select Path="Security">
<Select Path="Microsoft-Windows-PowerShell/Operational">
alert tcp any any -> [!<domaincontrollers to exclude here] [49152:65535] (msg:"Possible DCSync Detected"; flow:to_server,established; flags:PA; content:"|00 03 10 00 00 00|"; depth:8; content:"|03 00|"; distance:14; classtype:attempted-admin; sid:20166316;)