Dray Agha Purp1eW0lf
Purp1eW0lf
/ Pull_logs_and_zip.ps1
Created
February 17, 2022 00:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Ensure errors don't ruin anything for us | |
| $ErrorActionPreference = "SilentlyContinue" | |
| # Set variables | |
| $DesktopPath = [Environment]::GetFolderPath("Desktop") | |
| $basic = "C:\windows\System32\winevt\Logs\Application.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx", "C:\windows\System32\winevt\Logs\System.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx", "C:\windows\System32\winevt\Logs\Security.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | |
| $remote_logs = "C:\windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", "C:\windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx" |
Purp1eW0lf
/ Terminate_RDP.ps1
Created
February 15, 2022 23:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #show the users' session | |
| qwinsta | |
| #target their session id | |
| logoff 3 /v |
Purp1eW0lf
/ rdp_log_investigate.ps1
Created
February 15, 2022 23:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get-winevent -logname "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | | |
| ? id -match 1149 | | |
| sort Time* -descending | | |
| fl time*, message |
Purp1eW0lf
/ remove_user_from_group.ps1
Created
February 15, 2022 23:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remove-adgroupmember -identity Administrators -members "erochester" -verbose -confirm:$false |
Purp1eW0lf
/ Rotate_Passwd.ps1
Created
February 15, 2022 23:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $user = "erochester" ; | |
| $newPass = "[New-Password-Please]"; | |
| #Change password twice. | |
| #First can be junk password, second time can be real new password | |
| Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "6;wB3yj9cI8X" -Force) -verbose | |
| Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force) -verbose | |
| #If the machine is not connected to AD, or account is a local one use this instead |
Purp1eW0lf
/ Sort_Prefetch.ps1
Created
February 15, 2022 23:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dir C:\Windows\Prefetch | sort LastWriteTime -desc |
Purp1eW0lf
/ Disable_Account.ps1
Created
February 15, 2022 23:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #needs the SAMAccountName | |
| $user = "afairfax"; | |
| Disable-ADAccount -Identity "$user" -whatif # confirm this is what you want | |
| Disable-ADAccount -Identity "$user" -verbose | |
| #check it's disabled. Will return false if it is disabled. | |
| (Get-ADUser -Identity $user).enabled | |
| #re-enable the account when you're ready | |
| $user = "afairfax"; |
Purp1eW0lf
/ WinRM_Shell_Inspect.ps1
Created
February 15, 2022 23:20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| get-wsmaninstance -resourceuri shell -enumerate | | |
| select Name, State, Owner, ClientIP, ProcessID, MemoryUsed, | |
| @{Name = "ShellRunTime"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellRunTime)}}, | |
| @{Name = "ShellInactivity"; Expression = {[System.Xml.XmlConvert]::ToTimeSpan($_.ShellInactivity)}} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gwmi win32_process | | |
| Select Name,@{n='Owner';e={$_.GetOwner().User}},CommandLine | | |
| sort Name -unique -descending | Sort Owner | | |
| ft -wrap -autosize |
NewerOlder