- RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0
- RunDll32.exe msrating.dll,RatingSetupUI
colindix
sean-m
/ log-reader-config.ps1
Created
May 13, 2014 19:25
Read Windows event logs with Get-WinEvent cmd-let and serialize to json for shipping with logstash-forwarder. Much lighter weight than using logstash with the eventlog codec. Runtime memory usage is ~30Mb vs ~320Mb. Note: must be run with elevated privileges to read Security event logs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Configuration for log-reader.ps1 | |
| This file is only read if log-reader.ps1 is invoked without arguments | |
| from the command-line. This file will configure any tunable variabes | |
| in log-reader.ps1. Thus far, the only setting is which logs to track. | |
| #> | |
| [string[]]$logname = $("Application", "System", "Security") |
zoltanctoth
/ pyspark-udf.py
Last active
July 15, 2023 13:23
Writing an UDF for withColumn in PySpark
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pyspark.sql.types import StringType | |
| from pyspark.sql.functions import udf | |
| maturity_udf = udf(lambda age: "adult" if age >=18 else "child", StringType()) | |
| df = spark.createDataFrame([{'name': 'Alice', 'age': 1}]) | |
| df.withColumn("maturity", maturity_udf(df.age)) | |
| df.show() |
alirobe
/ reclaimWindows10.ps1
Last active
May 14, 2025 14:03
This Windows 10 Setup Script turns off a bunch of unnecessary Windows 10 telemetery, bloatware, & privacy things. Not guaranteed to catch everything. Review and tweak before running. Reboot after running. Scripts for reversing are included and commented. Fork of https://github.com/Disassembler0/Win10-Initial-Setup-Script (different defaults). N.…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### | |
| ### | |
| ### UPDATE: For Win 11, I recommend using this tool in place of this script: | |
| ### https://christitus.com/windows-tool/ | |
| ### https://github.com/ChrisTitusTech/winutil | |
| ### https://www.youtube.com/watch?v=6UQZ5oQg8XA | |
| ### iwr -useb https://christitus.com/win | iex | |
| ### | |
| ### OR take a look at | |
| ### https://github.com/HotCakeX/Harden-Windows-Security |
jaredcatkinson
/ Get-InjectedThread.ps1
Last active
April 24, 2025 15:06
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
mgreen27
/ ActiveScriptEventConsumer.ps1
Last active
January 13, 2022 01:22
PowerShell script to install an ActiveScriptEventConsumer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell 2.0+ | |
| # Description: Powershell script to add Event Consumer | |
| # Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a | |
| # Set Variables | |
| $Name = 'StagingLocation_Example' | |
| $Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"' | |
| $EventNamespace = 'root/cimv2' | |
| $Class = 'ActiveScriptEventConsumer' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
curi0usJack
/ .htaccess
Last active
April 9, 2025 16:33
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__! | |
| # | |
| # Note this version requires Apache 2.4+ | |
| # | |
| # Save this file into something like /etc/apache2/redirect.rules. | |
| # Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom | |
| # | |
| # Include /etc/apache2/redirect.rules | |
| # |
jaredhaight
/ windows_hardening.cmd
Last active
April 28, 2024 16:59
— forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: | |
| ::####################################################################### | |
| :: | |
| :: Change file associations to protect against common ransomware attacks | |
| :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell | |
| :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) | |
| :: --------------------- | |
| ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" |
scotgabriel
/ Windows command line gui access.md
Last active
November 11, 2023 14:53
Common windows functions via rundll user32 and control panel
wdormann
/ acltest.ps1
Created
May 1, 2018 15:20
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
| Break | |
| } | |
| $outfile = "acltestfile" | |
| set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
| Foreach ($path in $paths) { | |
| # This prints a table of ACLs | |
| # get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
OlderNewer