Matthew Green mgreen27

## New-ModuleOverview.ps1
function New-ModuleOverview {
    <#
    .SYNOPSIS
    Generates a Markdown file with a short description of each public command in a module.

    .DESCRIPTION
    Finds all the public commands in a specified module and produces a simple Markdown file detailing the description or synopsis (user choice) for each.

    .PARAMETER ModuleName
    Name of the module to generate an overview for. If the module isn't already loaded then it will be loaded.

## fd334bb96b496592db6c9771f305a2ddca6610a59c6d45f5bbbb2b38859b4f36
## Uploaded by @JohnLaTwC
## Sample hash: fd334bb96b496592db6c9771f305a2ddca6610a59c6d45f5bbbb2b38859b4f36
On Error Resume Next
Dim objShell : Set objShell = CreateObject("WScript.Shell")

If LCase(Right(WScript.FullName, 11)) = "wscript.exe" Then
    For Each vArg In WScript.Arguments
        sArgs = sArgs & " """ & vArg & """"
    Next
    objShell.Run("cmd.exe /k cscript.exe //nologo " & Chr(34) & WScript.ScriptFullName & Chr(34) & sArgs & " && exit")

## wldp_interesting_rundll32_invocations.txt
StorageUsage.dll,GetStorageUsageInfo
acmigration.dll,ApplyMigrationShims
acproxy.DLL,PerformAutochkOperations
ppioobe.dll,setupcalendaraccountforuser
edgehtml.dll,#125
edgehtml.dll,#133
davclnt.dll,davsetcookie
appxdeploymentextensions.onecore.dll,shellrefresh
pla.dll,plahost
aeinv.dll,updatesoftwareinventory

## config-client.xml
<!--
   This is a Microsoft Sysmon configuration to be used on Windows workstations
   v0.2.1 December 2016
   Florian Roth (with the help and ideas of others)

   The focus of this configuration is
   - malware detection (execution)
   - malware detection (network connections)
   - exploit detection
   It is not focussed on

## o365-kb.md

      
              1 file
            
          
              2 forks
            
          
              2 comments
            
          
              8 stars
            
          
                hiddenillusion
                / o365-kb.md
            
            
              Last active
              September 26, 2021 04:47
            
          
Term
Description
Link(s)


Alias
Another email address that people can use to email


App Password
An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.


Alternate email address
Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users


AuditAdmin


AuditDelegate


Delegate
An account with assigned permissions to a mailbox.


Display Name
Name that appears in the Address Book & on the TO and From lines on an email.


EAC
"Exchange Admin Center"


## Microsoft-Windows-FileInfoMinifilter.txt


Id          : 1
Version     : 0
LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
Level       : System.Diagnostics.Eventing.Reader.EventLevel
Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
Task        : System.Diagnostics.Eventing.Reader.EventTask
Keywords    : {, fi:FileNameCreate}
Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">

## PowerShell Command Line Logging
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions

Log Source Type:
  MS Event Log for Win7/Win8/2008/2012 - PowerShell

Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true

## auto_shellcode_hashes.py
import os
import sys
import logging

import pefile
import ucutils
import unicorn
import capstone
import argparse

## Windows command line gui access.md

      
              1 file
            
          
              16 forks
            
          
              1 comment
            
          
              64 stars
            
          
                scotgabriel
                / Windows command line gui access.md
            
            
              Last active
              November 11, 2023 14:53
            
              
                Common windows functions via rundll user32 and control panel
              
          
    Rundll32 commands

OS: Windows 10/8/7

Add/Remove Programs


RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0

Content Advisor


RunDll32.exe msrating.dll,RatingSetupUI

Control Panel


## iddqd.yar
/*
WARNING:

the newest version of this rule is now hosted here:
https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
*/


/*
      _____        __  __  ___        __
	function New-ModuleOverview {
	<#
	.SYNOPSIS
	Generates a Markdown file with a short description of each public command in a module.

	.DESCRIPTION
	Finds all the public commands in a specified module and produces a simple Markdown file detailing the description or synopsis (user choice) for each.

	.PARAMETER ModuleName
	Name of the module to generate an overview for. If the module isn't already loaded then it will be loaded.
	## Uploaded by @JohnLaTwC
	## Sample hash: fd334bb96b496592db6c9771f305a2ddca6610a59c6d45f5bbbb2b38859b4f36
	On Error Resume Next
	Dim objShell : Set objShell = CreateObject("WScript.Shell")

	If LCase(Right(WScript.FullName, 11)) = "wscript.exe" Then
	For Each vArg In WScript.Arguments
	sArgs = sArgs & " """ & vArg & """"
	Next
	objShell.Run("cmd.exe /k cscript.exe //nologo " & Chr(34) & WScript.ScriptFullName & Chr(34) & sArgs & " && exit")
	StorageUsage.dll,GetStorageUsageInfo
	acmigration.dll,ApplyMigrationShims
	acproxy.DLL,PerformAutochkOperations
	ppioobe.dll,setupcalendaraccountforuser
	edgehtml.dll,#125
	edgehtml.dll,#133
	davclnt.dll,davsetcookie
	appxdeploymentextensions.onecore.dll,shellrefresh
	pla.dll,plahost
	aeinv.dll,updatesoftwareinventory
	<!--
	This is a Microsoft Sysmon configuration to be used on Windows workstations
	v0.2.1 December 2016
	Florian Roth (with the help and ideas of others)

	The focus of this configuration is
	- malware detection (execution)
	- malware detection (network connections)
	- exploit detection
	It is not focussed on
Term	Description	Link(s)
Alias	Another email address that people can use to email
App Password	An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address	Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate	An account with assigned permissions to a mailbox.
Display Name	Name that appears in the Address Book & on the TO and From lines on an email.
EAC	"Exchange Admin Center"


	Id : 1
	Version : 0
	LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
	Level : System.Diagnostics.Eventing.Reader.EventLevel
	Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
	Task : System.Diagnostics.Eventing.Reader.EventTask
	Keywords : {, fi:FileNameCreate}
	Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
	# PowerShell Audit Logging for LogRhythm SIEM - 2015
	# For detecting dangerous PowerShell Commands/Functions

	Log Source Type:
	MS Event Log for Win7/Win8/2008/2012 - PowerShell

	Add this file to your PowerShell directory to enable verbose command line audit logging
	profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true
	import os
	import sys
	import logging

	import pefile
	import ucutils
	import unicorn
	import capstone
	import argparse
	/*
	WARNING:

	the newest version of this rule is now hosted here:
	https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
	*/


	/*
	_____ __ __ ___ __