Matthew Green mgreen27
mgreen27
/ Get-ExtrinsicEventClasses.ps1
Created
May 27, 2017 01:26
— forked from et0x/Get-ExtrinsicEventClasses.ps1
List all WMI extrinsic event classes recursively
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-Derived { | |
| Param( | |
| [String]$Class, | |
| [String]$Namespace | |
| ) | |
| if (-not [string]::IsNullOrEmpty($Class)) | |
| { | |
| Get-WmiObject -List -Namespace $Namespace | Where-Object { $_.__SUPERCLASS -eq $Class -and (-not ($_.Name.StartsWith('__')) ) } | foreach { | |
| Get-Derived -Class $_.__CLASS -Namespace $_.__NAMESPACE | |
| $_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Invoke-CLSIDParser.ps1 parses COM CLSID entries from HKEY_LOCAL_MACHINE and HKEY_USERS registry hives. | |
| Name: Invoke-CLSIDParser.ps1 | |
| Version: 0.1 | |
| Author: Matt Green (@mgreen27) | |
| .DESCRIPTION | |
| Researchers have recently written about several use cases for code execution and persistance utilising COM (Component Object Model) hijacking. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Get-AMSIEvents | |
| { | |
| <# | |
| .SYNOPSIS | |
| Get-AMSIEvents collects AMSI events during interval. | |
| Name: Get-AMSIEvents.ps1 | |
| Version: 0.1 | |
| Date: 2019-05-26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketCache | |
| { | |
| <# __CyberCX__ | |
| Author: Jared Atkinson (@_jaredca_tkinson) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| .EXAMPLE |
mgreen27
/ Get-KerberosTicketGrantingTicket.ps1
Created
September 23, 2020 10:53
Get-KerberosTicketGrantingTicket.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-KerberosTicketGrantingTicket | |
| { | |
| <# __CYberCX__ | |
| .SYNOPSIS | |
| Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
| .DESCRIPTION | |
| Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Find BinaryRename of commonly abused Living off the Land Binaries | |
| Name: Get-BinaryRename.ps1 | |
| Date: 2019-05-31 | |
| Version: 0.2 | |
| Author: Matt Green (@mgreen27) | |
| Requirements: | |
| Get-FileHash Powershell 4.0+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.System.KB5000871 | |
| author: Matt Green - @mgreen27 | |
| description: | | |
| This artifact will check for KB5000871 in system Uninstall keys. | |
| KB5000871 is not visible via Get-Hotfix or Systeminfo so we need to query the | |
| uninstall keys. Modify NameRegex to search for other installed applications. | |
| reference: | |
| - https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b |
mgreen27
/ gcloud_cheat_sheet.md
Created
March 19, 2021 01:34
— forked from pydevops/gcloud-cheat-sheet.md
gcp gcloud cheat sheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0' encoding='windows-1252'?> | |
| <?define AppRegKey="Software\COMPANYNAME\TOOLNAME" ?> | |
| <?define PackageDescription="COMPANYNAME TOOLNAME installer" ?> | |
| <?define Manufacturer="COMPANYNAME" ?> | |
| <?define Name="TOOLNAME" ?> | |
| <?define Version="VERSION" ?> | |
| <?define BinaryName="TOOLNAME.exe" ?> | |
| <?define BinaryNamex86="TOOLNAMEx86.exe" ?> | |
| <Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.EventLogs.Bitsadmin | |
| author: "Matt Green - @mgreen27" | |
| description: | | |
| This content will extract BITS Transfer events and enable filtering by URL | |
| reference: | |
| - https://attack.mitre.org/techniques/T1197/ | |
| - https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html | |
| parameters: |
OlderNewer