Skip to content

Instantly share code, notes, and snippets.

Scott Sutherland nullbind

Block or report user

Report or block nullbind

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
nullbind / Import-ADandGPO.ps1
Last active Nov 15, 2019
This is an example of how to import the Active Directory and GPO command PowerShell modules on the fly.
View Import-ADandGPO.ps1
This file has been truncated, but you can view the full file.
# ---------------------------------------------------
# Load the Active Directory PowerShell module
# ---------------------------------------------------
# $ADModuleBytes = [System.IO.File]::ReadAllBytes("C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.ActiveDirectory.Management.dll")
# $ADModuleString = [System.Convert]::ToBase64String($ADModuleBytes)
# Set the string
nullbind / Get-WmiNamespaceDacl.ps1
Last active Aug 27, 2019
View Get-WmiNamespaceDacl.ps1
<# Questions / todo
#check for namespace privs
#check for reg key privs
#check for dll hijacking due to missing quotes
#check for dll file privs
#check for impersonation - named pipe, token duplication, scheduled task,other?
#identify managed vs unmanaged; native vs custom
# what else?
View portable-adps.ps1
This file has been truncated, but you can view the full file.
# DLL bytes as a string
View test.ps1
This file has been truncated, but you can view the full file.
function Invoke-DCSync
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
Improved by: @harmj0y
nullbind / poc.png
Created May 22, 2019
MSBuild - Property functions -
View poc.png
<Project ToolsVersion="4.0" xmlns="" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View TellMeYourSecrets.ps1
# PowerShellery
# Source:
# Note: This was hacked together for the sake of portability.
# Note: To refresh TellMeYourSecrets.dll do the following:
# $Bytes = [System.IO.File]::ReadAllBytes("C:\temp\TellMeYourSecrets.dll")
# $MyString = [System.Convert]::ToBase64String($Bytes)
# or
# $Bytes = [System.IO.File]::ReadAllBytes("C:\users\istest1\Desktop\TellMeYourSecrets.dll")
# [System.Reflection.Assembly]::Load($Bytes)
# [TellMeYourSecrets.LSA]::DumpLsa()
nullbind / Get-DomainComputerWSMAN.ps1
Created May 1, 2019
View Get-DomainComputerWSMAN.ps1
# This script uses the ActiveDirectory module to enumerate live Windows system on the domain that support WMI/PS Remoting,
# and filters out win7 and 2k3
# Run on domain system or via 'runas /netonly /user:domain\user powershell.exe'
# Initial DC
$InitialDc = ''
# Create connection to initial dc
Import-Module ActiveDirectory
nullbind / Invoke-HuntWmiSubscription.ps1
Created May 1, 2019
View Invoke-HuntWmiSubscription.ps1
# Author: Alexander Leary
# Add-ObjectWMI
Function local:Add-ObjectWMI{
[Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true, HelpMessage="Name")]
[string]$Name = "",
View FindFiles.ps1
$allusersstartuP = Invoke-Command -Session (Get-PSSession) -ScriptBlock {Get-childItem "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\" | select fullname}
View Invoke-HuntEvents.ps1
function Invoke-HuntEvents {
# Set event ids
$x = "4768,4662,1917,216,8224,20001,106,4720,4732"
# Parse into list
$y = $x.Split(',')
# Look up events
You can’t perform that action at this time.