stoXe IAmStoxe
IAmStoxe
/ loop-json.sh
Last active
June 17, 2025 17:04
This example shows you how to utilize jq to loop bash script through an array of JSON values.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jsonData='[{"name": "name#1","value": "value#1"},{"name": "name#2","value": "value#2"}]' | |
| for row in $(echo "${jsonData}" | jq -r '.[] | @base64'); do | |
| _jq() { | |
| echo "${row}" | base64 --decode | jq -r "${1}" | |
| } | |
| # OPTIONAL | |
| # Set each property of the row to a variable | |
| name=$(_jq '.name') | |
| value=$(_jq '.value') |
IAmStoxe
/ Delete-PodsByRegex.ps1
Created
June 26, 2020 16:36
Delete all kubernetes pods by regex pattern with PowerShell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $NS="NameSpace"; $Pattern="amass"; & kubectl get pods -n $NS | % {"$_" -Split " "} | Select-String -Pattern $Pattern | %{ & kubectl delete -n $NS pod $_ } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Download the latest release with the command: | |
| curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl; | |
| # Make the kubectl binary executable. | |
| chmod +x ./kubectl; | |
| # Move the binary in to your PATH. | |
| sudo mv ./kubectl /usr/local/bin/kubectl; | |
| # Test to ensure the version you installed is up-to-date: | |
| kubectl version --client; |
IAmStoxe
/ BlockCommonApplicationsViaFirewall.cmd
Created
June 23, 2020 01:52
Block applications commonly utilized by malware from accessing the internet.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action= |
IAmStoxe
/ HardenDefenderForOffice.ps1
Created
June 23, 2020 01:30
Enabling some Windows Defender protections for office documents. https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OPTIONAL - Just Uncomment - Restore defaults to Windows Defenders | |
| #%programfiles%\"Windows Defender"\MpCmdRun.exe -RestoreDefaults | |
| # Block Office applications from creating child processes | |
| powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled | |
| # Block Office applications from injecting code into other processes | |
| powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions enable | |
| # Block Win32 API calls from Office macro |
IAmStoxe
/ UninstallO365.bat
Created
June 19, 2020 18:55
Dell ships its latitude laptops with 3 different versions of Office 365 installed by default. If you dont use this script you must go through each individually in the control panel which can be time consuming. This should aid in that process.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM "Spanish" | |
| "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=O365HomePremRetail.16_es-es_x-none culture=es-es version.16=16.0 | |
| REM "French" | |
| "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=O365HomePremRetail.16_fr-fr_x-none culture=fr-fr version.16=16.0 | |
| REM "English" | |
| "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=O365HomePremRetail.16_en-en_x-none culture=en-en version.16=16.0 |
IAmStoxe
/ Sync w32tm to PDC on all domain controllers - one liner.ps1
Last active
November 3, 2020 16:21
Sync w32tm to PDC on all domain controllers in a compact one liner.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Invoke-Command -ComputerName (Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name) -ScriptBlock { | |
| w32tm /config /syncfromflags:domhier /reliable:no /update; net stop w32time; net start w32time; | |
| } |
IAmStoxe
/ Hard Coded Host.json
Created
May 28, 2020 20:05
How to launch a Exchange Management Shell remotely with Windows Terminal. Add these to your settings.json for Windows Terminal to utilize
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Replace SERVER_NAME with the FQDN of your exchange server before using | |
| { | |
| "name": "PS Exchange Management Shell", | |
| "tabTitle": "PS Exchange Management Shell", | |
| "commandline": "powershell.exe -NoProfile -NoExit -Command Enter-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://SERVER_NAME/PowerShell/' -Credential (Get-Credential)" | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Mozilla User Preferences | |
| // To change a preference value, you can either: | |
| // - modify it via the UI (e.g. via about:config in the browser); or | |
| // - set it within a user.js file in your profile (create it if it doesn't exist). | |
| // | |
| // Profile folder location on different systems: | |
| // Windows: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default | |
| // Mac OS X: Users/<username>/Library/Application Support/Firefox/Profiles/xxxxxxxx.default | |
| // Linux: /home/<username>/.mozilla/firefox/xxxxxxxx.default |
IAmStoxe
/ Create-ShadowCopyScheduledTasks.ps1
Created
May 13, 2020 00:16
Create a scheduled task to limit maximum ShadowCopy size to 15% of your drive. Also create (2) scheduled tasks to create shadowcopies at 10am and 4pm.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module ScheduledTasks | |
| $runas = New-ScheduledTaskPrincipal "System" -LogonType ServiceAccount | |
| $TaskName1 = "Set ShadowCopy Size Limit to 15%" | |
| $action1 = New-ScheduledTaskAction -Execute "C:\Windows\System32\vssadmin.exe" -Argument "resize shadowstorage /for=c: /on=c: /MaxSize=15%" | |
| $trigger1 = New-ScheduledTaskTrigger -Daily -At "8:00" | |
| Register-ScheduledTask -Action $action1 -Trigger $trigger1 -TaskName $TaskName1 -Description "Set the maximum amount of space used by ShadowCopy to 15%" -Principal $runas |