| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam] | |
| @="AtomicRedTeam" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] |
| <# | |
| .SYNOPSIS | |
| Get digital signatures from files in a target folder. | |
| .DESCRIPTION | |
| Gets digital signatures from .exe and .dll files from a specified path and sub-folders. | |
| Retreives the certificate thumbprint, certificate name, certificate expiry, certificate validity and file path and outputs the results. | |
| Output includes files that are not signed. | |
| .NOTES |
| <# | |
| .SYNOPSIS | |
| Report on Disk Hogs | |
| .DESCRIPTION | |
| Returns a list of the largest directories in use on the local machine | |
| .NOTES | |
| Copyright Keith Garner, All rights reserved. | |
| .PARAMETER Start | |
| Start of the search, usually c:\ | |
| .PARAMETER Path |
The only way to encrypt today is authenticated encryption, or "AEAD". ChaCha20-Poly1305 is faster in software than AES-GCM. AES-GCM will be faster than ChaCha20-Poly1305 with AES-NI. Poly1305 is also easier than GCM for library designers to implement safely. AES-GCM is the industry standard.
Use, in order of preference:
| function Get-Doppelgangers | |
| { | |
| <# | |
| .SYNOPSIS | |
| Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging' | |
| Author: Joe Desimone (@dez_) | |
| License: BSD 3-Clause | |
| #!/usr/bin/env python | |
| #Quick and Dirty Python Interface to Powershell from Python | |
| #Requires pexpect module. Try "pip install pexpect" | |
| import pexpect | |
| from pexpect.popen_spawn import PopenSpawn | |
| import re | |
| import time | |
| class pxpowershell(object): | |
| def __init__(self, *args, **kwargs): |
| # Importing Scripts directly from Tweets! #280characters | |
| # | |
| # NOTE: This should not be used for any production environment. Or any environment for that matter. Use https://PowerShellGallery.com | |
| # | |
| # | |
| #################################### | |
| # Example # | |
| #################################### | |
| # | |
| # |
| #Internet Explorer may not work well with multiple files | |
| #Edge does its own thing | |
| Function Out-Browser { | |
| [cmdletbinding()] | |
| Param( | |
| [Parameter(Position = 0, Mandatory,ValueFromPipelineByPropertyName)] | |
| [Alias("Path")] | |
| [string]$Fullname | |
| ) |
| function Invoke-RunScriptHelperExpression { | |
| <# | |
| .SYNOPSIS | |
| Executes PowerShell code in full language mode in the context of runscripthelper.exe. | |
| .DESCRIPTION | |
| Invoke-RunScriptHelperExpression executes PowerShell code in the context of runscripthelper.exe - a Windows-signed PowerShell host application which appears to be used for telemetry collection purposes. The PowerShell code supplied will run in FullLanguage mode and bypass constrained language mode. |
| # Published for http://powertoe.wordpress.com | |
| # https://powertoe.wordpress.com/2017/10/23/h2o-machine-learning-with-powershell/ | |
| function ConvertTo-FormData { | |
| param( | |
| [Parameter(ValueFromPipeline=$true)] [PSObject] $InputObject | |
| ) | |
| Begin { | |
| $output = "" | |
| } |