Skip to content

Instantly share code, notes, and snippets.

View shadowbq's full-sized avatar
👔
Doing Things

shadowbq shadowbq

👔
Doing Things
54 followers · 30 following
View GitHub Profile
@shadowbq
shadowbq / .README.md
Last active May 22, 2023 16:37 — forked from mattifestation/MDE_DataCollection_Scripts.md
Microsoft MDE EDR LiveResponse and SenseIR collection powershell scripts

Microsoft Defender PowerShell and LUA delivery

Microsoft Defender for Endpoint ensures the integrity of the scripts it pushes and executes.

First, they ensure that the script to execute matches the expected file hash. Example:

powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read);$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65
@shadowbq
shadowbq / README - LVM Encryption Resize.md
Last active March 15, 2023 18:17
Enlarge LVM on LUKS encrypted VG

Enlarge LVM on LUKS

Example #1 - Move Data from small physical drive to another bigger physical drive

Enlarging a LVM-on-LUKS logical partition, for instance after migrating to a larger hard disk, is done in the opposite way - from the outermost to the innermost partition:

primary partition(LUKS device{volume group[(logical partition1)(logical partition2-->)]}) Preparation Create a new partition on the new hard disk of wanted size, f.i. by using GNU Parted, and clone the old partition sdX1, containing your LUKS container, into the new partition sdY1:

@shadowbq
shadowbq / py_in_bash.sh
Created January 31, 2023 00:32
Python in Bash for script delivery
#!/usr/bin/env bash
set -a
command -v python3 >/dev/null 2>&1 || {
echo >&2 "Python3 required. Aborting."
exit 1
}
MYSTRING="Do something in bash"
export $MYSTRING
@shadowbq
shadowbq / minimal-defender-bypass.profile
Created January 4, 2022 17:56 — forked from tothi/minimal-defender-bypass.profile
Minimal Cobalt Strike C2 Profile for Bypassing Defender
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works
set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";
stage {
set allocator "MapViewOfFile";
set name "notevil.dll";
@shadowbq
shadowbq / README.md
Created September 29, 2021 13:50
SSL/TLS Certificate Files and How to Convert Them

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them

Certificates and Encodings

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.

In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions

@shadowbq
shadowbq / make_garbage_files.sh
Created May 6, 2019 19:09
#! /bin/bash
for d in {1..100}; do
mkdir -p ./dir-$(printf %03d "$d") && cd ./dir-$(printf %03d "$d")
for n in {1..100}; do
( dd if=/dev/urandom of=file-$( printf %03d "$n" ).bin bs=1 count=$(( RANDOM + 1024 )) ) > /dev/null 2>&1
done
cd ..
done
@shadowbq
shadowbq / Window_Time.bat
Last active April 15, 2019 13:26
Windows Time Force for Cloud Snapshots
@echo off
:: Reference: https://www.pahoehoe.net/configure-w32time-ntp-on-a-standalone-windows-box/
:: Reference: https://community.spiceworks.com/topic/1951714-ntp-setting-server-2012-r2-settings-not-working
:: Reference: https://www.mcbsys.com/blog/2014/08/basic-windows-time-service-setup/
:: ## Look @config
w32tm /query /configuration
w32tm /query /status
:: # Changing the Polling Flag (its listed in decimal seconds)
@shadowbq
shadowbq / Powershell.log
Last active April 30, 2021 13:07
PDH with Powershell for Network Stats
' Notes:
' https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-counter?view=powershell-5.1
' https://docs.bmc.com/docs/display/public/bcmco95/Windows+IPv4+and+IPv6+Statistics
' https://kb.paessler.com/en/topic/50673-how-can-i-find-out-the-names-of-available-performance-counters
' https://docs.microsoft.com/en-us/windows-server/networking/technologies/network-subsystem/net-sub-performance-counters
' https://leanpub.com/windowspowershellnetworkingguide/read#leanpub-auto-performance-counters
PS C:\Users\jdoe> powershell –ExecutionPolicy Bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
@shadowbq
shadowbq / Firewallpol.json
Last active February 14, 2019 13:18
Nsm javascript pseudo
{
"FirewallPolicyId": 120,
"Name": "TestFirewallPolicy",
"DomainId": 0,
"VisibleToChild": true,
"Description": "test the firewallpolicy",
"LastModifiedTime": "2012-12-12 12:32:44",
"IsEditable": true,
"PolicyType": "ADVANCED",
"PolicyVersion": 1,
@shadowbq
shadowbq / vss_powershell_restore.ps1
Created July 3, 2018 14:37
Restore from VSS using PS
# VSS Location
# \\localhost\D$\@GMT-2011.09.20-06.00.04_Data\Folder\SubFolder
$source="\\localhost\D$\@GMT-2011.09.20-06.00.04_Data\Folder\SubFolder"
$dest="C:\temp\dest"
$logfile="C:\logs\VSS-restoration.log"
$what = @("/COPYALL","/MIR")