Skip to content

Instantly share code, notes, and snippets.

@jborean93
jborean93 / WDAC-Ansible.md
Created September 12, 2024 05:24
WDAC Investigations for Ansible

Thoughts on WDAC and Ansible

Current Behaviour

We execute the following bootstrap script:

try { [Console]::InputEncoding = [Console]::OutputEncoding = New-Object System.Text.UTF8Encoding } catch { $null = $_ }

if ($PSVersionTable.PSVersion -lt [Version]"3.0") {
 '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
@jborean93
jborean93 / New-ScheduledTaskSession.ps1
Last active September 6, 2024 11:19
Creates a PSSession that targets a scheduled task process
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
Function New-ScheduledTaskSession {
<#
.SYNOPSIS
Creates a PSSession for a process running as a scheduled task.
.DESCRIPTION
Creates a PSSession that can be used to run code inside a scheduled task
@jborean93
jborean93 / Invoke-AsScheduledJob.ps1
Created August 23, 2024 04:39
Invokes a PowerShell script as a scheduled task changing the logon type to a BATCH logon.
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
Function Invoke-AsScheduledJob {
<#
.SYNOPSIS
Runs a scriptblock as a scheduled job.
.DESCRIPTION
This is a helper function to run PowerShell code as a scheduled task.
@jborean93
jborean93 / smb_list_shares.py
Last active August 9, 2024 11:09
List SMB shares using smbprotocol library
#!/usr/bin/env python3
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
# PYTHON_ARGCOMPLETE_OK
# Big thanks to pysmb for help with the RPC structures
# https://github.com/miketeo/pysmb
from __future__ import annotations
@jborean93
jborean93 / parse_openssh_key.py
Last active July 28, 2024 01:57
Parses an OpenSSH Private Key file
#!/usr/bin/env python3
# /// script
# dependencies = [
# "bcrypt",
# "cryptography >= 43.0.0",
# "pyyaml",
# ]
# ///
@jborean93
jborean93 / Split-ExeArgument.ps1
Last active August 19, 2024 19:40
Splits the input string using the Win32 argument splitter
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
#Requires -Module Ctypes
Function Split-ExeArgument {
[OutputType([string])]
[CmdletBinding()]
param (
[Parameter(Mandatory, ValueFromPipeline)]
@jborean93
jborean93 / libvirt-network-dns.py
Created June 3, 2024 00:34
Script that can automatically configure DNS domain resolvers for systemd-resolved on QEMU network adapters
#!/usr/bin/python
import os.path
import subprocess
import sys
import xml.etree.ElementTree as ET
def main():
iface = sys.argv[1]
hook_case = sys.argv[2]
@jborean93
jborean93 / Get-FileProcess.ps1
Created May 30, 2024 23:18
Gets the process ids that has the requested file(s) opened
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
#Requires -Module Ctypes
#Requires -Version 7.3
Function Get-FileProcess {
<#
.SYNOPSIS
Get the process that has opened the requested file.
@jborean93
jborean93 / WinVerifyTrust-Catalog.ps1
Created May 21, 2024 04:53
Test code to testing WinVerifyTrust with a catalog file.
ctypes_struct WINTRUST_DATA {
[int]$cbStruct
[IntPtr]$pPolicyCallbackData
[IntPtr]$pSIPClientData
[int]$dwUIChoice
[int]$fdwRevocationChecks
[int]$dwUnionChoice
[IntPtr]$pCatalog
[int]$dwStateAction
[IntPtr]$hWVTStateData
@jborean93
jborean93 / Get-SignedCatalogFile.ps1
Last active September 13, 2024 00:34
Gets the signed catalog file details from the provided paths
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
#Requires -Modules Ctypes
#Requires -Version 7.3
Function Get-SignedCatalogFile {
<#
.SYNOPSIS
Gets the .cat file for the specified file.