Skip to content

Instantly share code, notes, and snippets.

View f-bader's full-sized avatar

Fabian Bader f-bader

View GitHub Profile
@f-bader
f-bader / advanced_hunting.md
Created July 24, 2025 11:57 — forked from b401/advanced_hunting.md
Microsoft Advanced Hunting encoding
### USAGE:
###
### GetTracelogProviderSecurity.ps1 (to get all provider info)
###
### GetTracelogProviderSecurity.ps1 -ProviderName f2e68291-2367-5d51-3488-46f7a0e3f2cf
### (to get the info for 1 provider guid)
##
#
# Provider: f2e68291-2367-5d51-3488-46f7a0e3f2cf
# Control Flags: 45076
@StartAutomating
StartAutomating / EventBasedServer.ps1
Last active August 8, 2025 17:43
Gist a small event-based HTTP server in PowerShell
$JobName = "http://localhost:$(Get-Random -Min 4200 -Max 42000)/"
$httpListener = [Net.HttpListener]::new()
$httpListener.Prefixes.Add($JobName)
$httpListener.Start()
Start-ThreadJob -ScriptBlock {
param($MainRunspace, $httpListener, $SourceIdentifier = 'http')
while ($httpListener.IsListening) {
$contextAsync = $httpListener.GetContextAsync()
while (-not ($contextAsync.IsCompleted -or $contextAsync.IsFaulted -or $contextAsync.IsCanceled)) {}
@JustinGrote
JustinGrote / asimAuxiliaryTables.bicep
Last active August 18, 2025 20:24
Create Auxiliary Table equivalents to ASIM and Common Log Sentinel Tables
param workspaceName string
param logRetentionDays int = 90
param tableNames array = [
'ASimNetworkSessionLogs'
'ASimAuthenticationEventLogs'
'ASimWebSessionLogs'
'ASimAuditEventLogs'
'ASimDhcpEventLogs'
'ASimDnsActivityLogs'
'ASimFileEventLogs'
@JustinGrote
JustinGrote / New-JAzDataCollectionRule.ps1
Last active August 3, 2024 08:19
Create a Data Collection rule with embedded Ingestion DCRs
using namespace Microsoft.Azure.PowerShell.Cmdlets.Monitor.DataCollection.Models
using namespace System.Management.Automation
function New-JAzDataCollectionRule {
<#
.SYNOPSIS
Create a new Data Collection Rule in Azure Monitor. Uses 2023 API for direct DCRs
.NOTES
The MS Documentation on this sucks but the reference has a good example which is how I figured it out: https://learn.microsoft.com/en-us/rest/api/monitor/data-collection-rules/create?view=rest-monitor-2023-03-11&tabs=HTTP#create-or-update-data-collection-rule-with-embedded-ingestion-endpoints
#>
@azurekid
azurekid / Get-Guid.ps1
Last active November 5, 2024 11:33
PowerShell function to create a GUID from a string value
<#
.SYNOPSIS
Generates a GUID from a given string value using MD5 hashing.
.PARAMETER Value
The string value to generate a GUID from.
.EXAMPLE
Get-Guid -Value "example string"
Returns a GUID generated from the string "example string".
@mgraeber-rc
mgraeber-rc / ATPSiPolicy.xml
Created September 12, 2023 15:15
Recovered Microsoft Defender for Endpoint WDAC policy that is dropped to %windir%\System32\CodeIntegrity\ATPSiPolicy.p7b when "Restrict App Execution" is enabled for a device.
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
@awakecoding
awakecoding / Get-AadJoinInformation.ps1
Created August 8, 2023 14:21
Get Azure AD (Entra ID) Join Information without dsregcmd
Add-Type -TypeDefinition @'
using System;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
public enum DSREG_JOIN_TYPE {
DSREG_UNKNOWN_JOIN = 0,
DSREG_DEVICE_JOIN = 1,
DSREG_WORKPLACE_JOIN = 2
}
@sassdawe
sassdawe / PresentLight.json
Last active September 24, 2025 02:02
A light theme for Windows Terminal designed for the big screen!
{
"background": "#F9F9F9",
"black": "#AB3D2C",
"blue": "#275FE4",
"brightBlack": "#C21458",
"brightBlue": "#0099E1",
"brightCyan": "#7B86BB",
"brightGreen": "#3D942E",
"brightPurple": "#CE33C0",
"brightRed": "#FF0308",
@HackingLZ
HackingLZ / vdm_lua_extract.py
Last active August 12, 2025 19:36
VDM Lua Extractor
### Original script and research by commial
### https://github.com/commial/experiments/tree/master/windows-defender
### Set LUADec_Path to binary
### https://github.com/viruscamp/luadec
import struct
import argparse
import sys
import os
import io
import subprocess