Skip to content

Instantly share code, notes, and snippets.

Scott Sutherland nullbind

Block or report user

Report or block nullbind

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View portable-adps.ps1
This file has been truncated, but you can view the full file.
# DLL bytes as a string
View test.ps1
This file has been truncated, but you can view the full file.
function Invoke-DCSync
{
<#
.SYNOPSIS
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
Improved by: @harmj0y
@nullbind
nullbind / poc.png
Created May 22, 2019 — forked from caseysmithrc/poc.png
MSBuild - Property functions -
View poc.png
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View TellMeYourSecrets.ps1
# PowerShellery
# Source: https://github.com/0xbadjuju/TellMeYourSecrets
# Note: This was hacked together for the sake of portability.
# Note: To refresh TellMeYourSecrets.dll do the following:
# $Bytes = [System.IO.File]::ReadAllBytes("C:\temp\TellMeYourSecrets.dll")
# $MyString = [System.Convert]::ToBase64String($Bytes)
# or
# $Bytes = [System.IO.File]::ReadAllBytes("C:\users\istest1\Desktop\TellMeYourSecrets.dll")
# [System.Reflection.Assembly]::Load($Bytes)
# [TellMeYourSecrets.LSA]::DumpLsa()
@nullbind
nullbind / Get-DomainComputerWSMAN.ps1
Created May 1, 2019
Get-DomainComputerWSMAN.ps1
View Get-DomainComputerWSMAN.ps1
# This script uses the ActiveDirectory module to enumerate live Windows system on the domain that support WMI/PS Remoting,
# and filters out win7 and 2k3
# Run on domain system or via 'runas /netonly /user:domain\user powershell.exe'
# Initial DC
$InitialDc = '10.4.222.205'
# Create connection to initial dc
Import-Module ActiveDirectory
@nullbind
nullbind / Invoke-HuntWmiSubscription.ps1
Created May 1, 2019
Invoke-HuntWmiSubscription.ps1
View Invoke-HuntWmiSubscription.ps1
# Author: Alexander Leary
#--------------------------------------------------------------------------------
# Add-ObjectWMI
#--------------------------------------------------------------------------------
Function local:Add-ObjectWMI{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true, HelpMessage="Name")]
[string]$Name = "",
View FindFiles.ps1
$allusersstartuP = Invoke-Command -Session (Get-PSSession) -ScriptBlock {Get-childItem "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\" | select fullname}
View Invoke-HuntEvents.ps1
function Invoke-HuntEvents {
# Set event ids
$x = "4768,4662,1917,216,8224,20001,106,4720,4732"
# Parse into list
$y = $x.Split(',')
# Look up events
@nullbind
nullbind / Invoke-HuntServiceInfo.ps1
Created May 1, 2019
Invoke-HuntServiceInfo.ps1
View Invoke-HuntServiceInfo.ps1
Get-WmiObject -Class win32_service | Select Name,ServiceName,Description,PathName,ServiceType,StartMode,Status,InstallDate
#this can be run against all active psremoting sessions
@nullbind
nullbind / Invoke-HuntServiceInfo.ps1
Created May 1, 2019
Invoke-HuntServiceInfo.ps1
View Invoke-HuntServiceInfo.ps1
Get-WmiObject -Class win32_service | Select Name,ServiceName,Description,PathName,ServiceType,StartMode,Status,InstallDate
#this can be run against all active psremoting sessions
You can’t perform that action at this time.