Jared Atkinson jaredcatkinson
jaredcatkinson
/ Get-AccessToken.ps1
Last active
April 23, 2024 09:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-AccessToken | |
| { | |
| param | |
| ( | |
| [Parameter()] | |
| [System.Diagnostics.Process[]] | |
| $Process | |
| ) | |
| begin |
jaredcatkinson
/ Get-InjectedThread.ps1
Last active
April 22, 2024 19:09
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
jaredcatkinson
/ Get-Hash.ps1
Last active
March 15, 2024 17:05
PowerShell v2 port of the Get-FileHash function. This version of Get-Hash supports hashing files and strings.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Hash | |
| { | |
| <# | |
| .SYNOPSIS | |
| Get-Hash is a PowerShell Version 2 port of Get-FileHash that supports hashing files, as well as, strings. | |
| .PARAMETER InputObject | |
| This is the actual item used to calculate the hash. This value will support [Byte[]] or [System.IO.Stream] objects. |
jaredcatkinson
/ Invoke-CommandAST
Last active
February 24, 2024 15:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -Version 3 | |
| # Usage: | |
| # Invoke-command -computername $server -scriptblock {FunctionName -param1 -param2} | |
| # Author: Matt Graeber | |
| # @mattifestation | |
| # www.exploit-monday.com | |
| function Invoke-Command | |
| { | |
| [CmdletBinding(DefaultParameterSetName='InProcess', HelpUri='http://go.microsoft.com/fwlink/?LinkID=135225', RemotingCapability='OwnedByCommand')] |
jaredcatkinson
/ Get-StructureOffset.ps1
Last active
February 24, 2024 15:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-StructureOffset | |
| { | |
| <# | |
| .SYNOPSIS | |
| Returns the field offset of the unmanaged form of the managed structure. | |
| .DESCRIPTION | |
| Wraps the Marshal class' OffsetOf method to return the offset for all fields in the specified Structure. |
jaredcatkinson
/ Get-ExtendedAttribute.ps1
Last active
February 24, 2024 15:21
Get-ExtendedAttribute is a function to iterate through the C:\ volume looking for files with Extended Attributes. This code is beta and meant only for the purpose of a blog post on detection methodology.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is really beta code used in my Detection Methodology post. I plan to write more efficient code when I get some more time. | |
| function Get-ExtendedAttribute | |
| { | |
| foreach($file in (Get-ChildItem -Path C:\ -Recurse)) | |
| { | |
| $obj = Get-ExtendedAttribute -FilePath $file.FullName | Where-Object {$_ -ne $null} | |
| $obj | Add-Member -MemberType NoteProperty -Name FileName -Value $file.FullName | |
| Write-Output $obj | |
| } |
jaredcatkinson
/ ConvertFrom-Base64.ps1
Created
August 16, 2017 23:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ConvertFrom-Base64 | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
| [string] | |
| $Base64String | |
| ) | |
| $stringBytes = [System.Convert]::FromBase64String($Base64String) |
jaredcatkinson
/ Get-KerberosTicketGrantingTicket.ps1
Last active
February 24, 2024 15:19
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
jaredcatkinson
/ Test-Ticket.ps1
Created
September 20, 2017 21:51
Script to test if a Ticket Granting Ticket (TGT) is forged (a Golden Ticket).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Test-Condition | |
| { | |
| param | |
| ( | |
| [Parameter(Mandatory = $true)] | |
| [bool] | |
| $Result, | |
| [Parameter(Mandatory = $true)] | |
| [string] |
jaredcatkinson
/ Resolve-CommandLineToFilePath.ps1
Last active
February 24, 2024 15:18
Script to derive a File Path from a Command Line string
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Resolve-CommandLineToFilePath | |
| { | |
| <# | |
| .SYNOPSIS | |
| The Resolve-CommandLineToFilePath function takes an arbitrary Command Line and resolves the called application/file's path. | |
| .PARAMETER CommandLine | |
| The CommandLine that you want to convert to a file path. |
NewerOlder