Skip to content

Instantly share code, notes, and snippets.

@et0x
et0x / Get-ExtrinsicEventClasses.ps1
Last active May 27, 2017 01:26
List all WMI extrinsic event classes recursively
function Get-Derived {
Param(
[String]$Class,
[String]$Namespace
)
if (-not [string]::IsNullOrEmpty($Class))
{
Get-WmiObject -List -Namespace $Namespace | Where-Object { $_.__SUPERCLASS -eq $Class -and (-not ($_.Name.StartsWith('__')) ) } | foreach {
Get-Derived -Class $_.__CLASS -Namespace $_.__NAMESPACE
$_
@et0x
et0x / elk_process_submission.ps1
Created August 5, 2016 21:51
Simple way to get wmi data from remote machines into ELK .... very extensible
$LOGSTASH_IP = "192.168.197.222"
$Computers = Get-Content "C:\hosts.txt"
foreach ($computer in $Computers)
{
Get-WmiObject Win32_Process -Computername $computer `
| Select Caption,CreationDate,Description,ExecutablePath,Name,ProcessId,ParentProcessId `
| ConvertTo-Json -Compress `
| % { Invoke-WebRequest -Headers @{"Content-Type"="application/json"} -Method "POST" -Uri "http://$($LOGSTASH_IP):8080" -Body $_ }
}
@et0x
et0x / Get-DownloadedPEHashes.ps1
Created August 8, 2016 17:32
Get the hashes of all exe / dll files downloaded from the internet. Checks for the Zone.Identifier ADS and ensures the value is 3.
function Get-DownloadedPEHashes
{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true, Position=0)]
[String]$Path,
[Switch]$Recursive = $true
)
if (!$Path.EndsWith('\'))
@et0x
et0x / elk_find_spoofs.py
Last active November 6, 2019 00:03
Quickly search through elasticsearch documents for oddly named fields (ex: isass.exe files impersonating lsass.exe)
import elasticsearch
# this will search for closely named permutations of strings ... IE a common attacker technique is to
# name binaries close to a legitimate binary (isass.exe vs lsass.exe) ... this will search through
# millions of ES documents very quickly, and only return the closely related permutations!
es = elasticsearch.Elasticsearch([{host="localhost", port=9200}])
es.search( index="files_index", body={ "query": { "bool": { "should": [ {"fuzzy": { "file_name":"svchost.exe" }} ], "must_not": [ {"match": { "file_name":"svchost.exe" }} ] } } })["hits"]
function Register-NewEventWatchers
{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true)]
[String]$CSVFolder
)
$logNames = (Get-EventLog -LogName *).Log
@et0x
et0x / Get-EventDiff.ps1
Last active September 11, 2016 04:33
View events generated (good for forensic research) when actions occur. Just run Get-EventDiff then press another key to stop listening.
function Get-EventDiff
{
$startTime = [datetime]::Now
Write-Warning "Press any key to stop listening for generated events ..."
$Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | Out-Null
# set an endtime in case the Get-WinEvent query takes a few seconds to complete
$endTime = [datetime]::Now
Get-WinEvent -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt $startTime -and $_.TimeCreated -lt $endTime }
}
@et0x
et0x / Get-WorldOpenDirectories.ps1
Last active May 31, 2022 09:09
Use Get-WorldOpenDirectories to find open directories recursively, with specifics on exec/list/read permissions as well
#> Get-WorldOpenDirectories -Path C:\Windows
#
# Directory : C:\Windows\Tasks
# Group : NT Authority\Authenticated Users
# Write : True
# Read : True
# ExecuteFile : True
# List : True
#
# ...
Write-Output "Hello world!"