Jared Atkinson jaredcatkinson

## Invoke-CommandAST
#requires -Version 3
# Usage:
# Invoke-command -computername $server -scriptblock {FunctionName -param1 -param2}
# Author: Matt Graeber
# @mattifestation
# www.exploit-monday.com

function Invoke-Command
{
    [CmdletBinding(DefaultParameterSetName='InProcess', HelpUri='http://go.microsoft.com/fwlink/?LinkID=135225', RemotingCapability='OwnedByCommand')]

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jaredcatkinson
                / keybase.md
            
            
              Created
              August 18, 2016 13:15
            
          
    Keybase proof

I hereby claim:

I am jaredcatkinson on github.
I am jaredcatkinson (https://keybase.io/jaredcatkinson) on keybase.
I have a public key whose fingerprint is E36F 8790 CAFF 1865 40C6  E2D5 2D79 10BE 8FC6 F83E

To claim this, I am signing this object:

  
## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## Get-StructureOffset.ps1
function Get-StructureOffset
{
    <#
    .SYNOPSIS

    Returns the field offset of the unmanaged form of the managed structure.

    .DESCRIPTION

    Wraps the Marshal class' OffsetOf method to return the offset for all fields in the specified Structure.

## Get-ExtendedAttribute.ps1
# This is really beta code used in my Detection Methodology post. I plan to write more efficient code when I get some more time.

function Get-ExtendedAttribute
{
    foreach($file in (Get-ChildItem -Path C:\ -Recurse))
    {
        $obj = Get-ExtendedAttribute -FilePath $file.FullName | Where-Object {$_ -ne $null}
        $obj | Add-Member -MemberType NoteProperty -Name FileName -Value $file.FullName
        Write-Output $obj
    }

## ConvertFrom-Base64.ps1
function ConvertFrom-Base64
{
    param
    (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [string]
        $Base64String
    )

    $stringBytes = [System.Convert]::FromBase64String($Base64String)

## Get-AccessToken.ps1
function Get-AccessToken
{
    param
    (
        [Parameter()]
        [System.Diagnostics.Process[]]
        $Process
    )

    begin

## Get-KerberosTicketGrantingTicket.ps1
function Get-KerberosTicketGrantingTicket
{
    <#
    .SYNOPSIS

    Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

    .DESCRIPTION

    Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.

## Test-Ticket.ps1
function Test-Condition
{
    param
    (
        [Parameter(Mandatory = $true)]
        [bool]
        $Result,

        [Parameter(Mandatory = $true)]
        [string]

## Resolve-CommandLineToFilePath.ps1
function Resolve-CommandLineToFilePath
{
    <#
    .SYNOPSIS

    The Resolve-CommandLineToFilePath function takes an arbitrary Command Line and resolves the called application/file's path.

    .PARAMETER CommandLine

    The CommandLine that you want to convert to a file path.
	#requires -Version 3
	# Usage:
	# Invoke-command -computername $server -scriptblock {FunctionName -param1 -param2}
	# Author: Matt Graeber
	# @mattifestation
	# www.exploit-monday.com

	function Invoke-Command
	{
	[CmdletBinding(DefaultParameterSetName='InProcess', HelpUri='http://go.microsoft.com/fwlink/?LinkID=135225', RemotingCapability='OwnedByCommand')]
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
	function Get-StructureOffset
	{
	<#
	.SYNOPSIS

	Returns the field offset of the unmanaged form of the managed structure.

	.DESCRIPTION

	Wraps the Marshal class' OffsetOf method to return the offset for all fields in the specified Structure.
	# This is really beta code used in my Detection Methodology post. I plan to write more efficient code when I get some more time.

	function Get-ExtendedAttribute
	{
	foreach($file in (Get-ChildItem -Path C:\ -Recurse))
	{
	$obj = Get-ExtendedAttribute -FilePath $file.FullName \| Where-Object {$_ -ne $null}
	$obj \| Add-Member -MemberType NoteProperty -Name FileName -Value $file.FullName
	Write-Output $obj
	}
	function ConvertFrom-Base64
	{
	param
	(
	[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
	[string]
	$Base64String
	)

	$stringBytes = [System.Convert]::FromBase64String($Base64String)
	function Get-AccessToken
	{
	param
	(
	[Parameter()]
	[System.Diagnostics.Process[]]
	$Process
	)

	begin
	function Get-KerberosTicketGrantingTicket
	{
	<#
	.SYNOPSIS

	Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

	.DESCRIPTION

	Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
	function Test-Condition
	{
	param
	(
	[Parameter(Mandatory = $true)]
	[bool]
	$Result,

	[Parameter(Mandatory = $true)]
	[string]
	function Resolve-CommandLineToFilePath
	{
	<#
	.SYNOPSIS

	The Resolve-CommandLineToFilePath function takes an arbitrary Command Line and resolves the called application/file's path.

	.PARAMETER CommandLine

	The CommandLine that you want to convert to a file path.