This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Output "Hello world!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#> Get-WorldOpenDirectories -Path C:\Windows | |
# | |
# Directory : C:\Windows\Tasks | |
# Group : NT Authority\Authenticated Users | |
# Write : True | |
# Read : True | |
# ExecuteFile : True | |
# List : True | |
# | |
# ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-EventDiff | |
{ | |
$startTime = [datetime]::Now | |
Write-Warning "Press any key to stop listening for generated events ..." | |
$Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null | |
# set an endtime in case the Get-WinEvent query takes a few seconds to complete | |
$endTime = [datetime]::Now | |
Get-WinEvent -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt $startTime -and $_.TimeCreated -lt $endTime } | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Register-NewEventWatchers | |
{ | |
[CmdletBinding()] | |
Param( | |
[Parameter(Mandatory=$true)] | |
[String]$CSVFolder | |
) | |
$logNames = (Get-EventLog -LogName *).Log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import elasticsearch | |
# this will search for closely named permutations of strings ... IE a common attacker technique is to | |
# name binaries close to a legitimate binary (isass.exe vs lsass.exe) ... this will search through | |
# millions of ES documents very quickly, and only return the closely related permutations! | |
es = elasticsearch.Elasticsearch([{host="localhost", port=9200}]) | |
es.search( index="files_index", body={ "query": { "bool": { "should": [ {"fuzzy": { "file_name":"svchost.exe" }} ], "must_not": [ {"match": { "file_name":"svchost.exe" }} ] } } })["hits"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-DownloadedPEHashes | |
{ | |
[CmdletBinding()] | |
Param( | |
[Parameter(Mandatory=$true, Position=0)] | |
[String]$Path, | |
[Switch]$Recursive = $true | |
) | |
if (!$Path.EndsWith('\')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$LOGSTASH_IP = "192.168.197.222" | |
$Computers = Get-Content "C:\hosts.txt" | |
foreach ($computer in $Computers) | |
{ | |
Get-WmiObject Win32_Process -Computername $computer ` | |
| Select Caption,CreationDate,Description,ExecutablePath,Name,ProcessId,ParentProcessId ` | |
| ConvertTo-Json -Compress ` | |
| % { Invoke-WebRequest -Headers @{"Content-Type"="application/json"} -Method "POST" -Uri "http://$($LOGSTASH_IP):8080" -Body $_ } | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Derived { | |
Param( | |
[String]$Class, | |
[String]$Namespace | |
) | |
if (-not [string]::IsNullOrEmpty($Class)) | |
{ | |
Get-WmiObject -List -Namespace $Namespace | Where-Object { $_.__SUPERCLASS -eq $Class -and (-not ($_.Name.StartsWith('__')) ) } | foreach { | |
Get-Derived -Class $_.__CLASS -Namespace $_.__NAMESPACE | |
$_ |