Skip to content

Instantly share code, notes, and snippets.

View jaredcatkinson's full-sized avatar

Jared Atkinson jaredcatkinson

464 followers · 1 following
View GitHub Profile
@jaredcatkinson
jaredcatkinson / Invoke-CommandAST
Last active February 24, 2024 15:23
#requires -Version 3
# Usage:
# Invoke-command -computername $server -scriptblock {FunctionName -param1 -param2}
# Author: Matt Graeber
# @mattifestation
# www.exploit-monday.com
function Invoke-Command
{
[CmdletBinding(DefaultParameterSetName='InProcess', HelpUri='http://go.microsoft.com/fwlink/?LinkID=135225', RemotingCapability='OwnedByCommand')]
@jaredcatkinson
jaredcatkinson / keybase.md
Created August 18, 2016 13:15

Keybase proof

I hereby claim:

  • I am jaredcatkinson on github.
  • I am jaredcatkinson (https://keybase.io/jaredcatkinson) on keybase.
  • I have a public key whose fingerprint is E36F 8790 CAFF 1865 40C6 E2D5 2D79 10BE 8FC6 F83E

To claim this, I am signing this object:

@jaredcatkinson
jaredcatkinson / Get-InjectedThread.ps1
Last active October 14, 2025 02:45
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@jaredcatkinson
jaredcatkinson / Get-StructureOffset.ps1
Last active February 24, 2024 15:21
function Get-StructureOffset
{
<#
.SYNOPSIS
Returns the field offset of the unmanaged form of the managed structure.
.DESCRIPTION
Wraps the Marshal class' OffsetOf method to return the offset for all fields in the specified Structure.
@jaredcatkinson
jaredcatkinson / Get-ExtendedAttribute.ps1
Last active February 24, 2024 15:21
Get-ExtendedAttribute is a function to iterate through the C:\ volume looking for files with Extended Attributes. This code is beta and meant only for the purpose of a blog post on detection methodology.
# This is really beta code used in my Detection Methodology post. I plan to write more efficient code when I get some more time.
function Get-ExtendedAttribute
{
foreach($file in (Get-ChildItem -Path C:\ -Recurse))
{
$obj = Get-ExtendedAttribute -FilePath $file.FullName | Where-Object {$_ -ne $null}
$obj | Add-Member -MemberType NoteProperty -Name FileName -Value $file.FullName
Write-Output $obj
}
@jaredcatkinson
jaredcatkinson / ConvertFrom-Base64.ps1
Created August 16, 2017 23:40
function ConvertFrom-Base64
{
param
(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[string]
$Base64String
)
$stringBytes = [System.Convert]::FromBase64String($Base64String)
@jaredcatkinson
jaredcatkinson / Get-AccessToken.ps1
Last active March 18, 2025 14:27
function Get-AccessToken
{
param
(
[Parameter()]
[System.Diagnostics.Process[]]
$Process
)
begin
@jaredcatkinson
jaredcatkinson / Get-KerberosTicketGrantingTicket.ps1
Last active July 19, 2025 16:52
Kerberos Ticket Granting Ticket Collection Script and Golden Ticket Detection Tests
function Get-KerberosTicketGrantingTicket
{
<#
.SYNOPSIS
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions
.DESCRIPTION
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
@jaredcatkinson
jaredcatkinson / Test-Ticket.ps1
Created September 20, 2017 21:51
Script to test if a Ticket Granting Ticket (TGT) is forged (a Golden Ticket).
function Test-Condition
{
param
(
[Parameter(Mandatory = $true)]
[bool]
$Result,
[Parameter(Mandatory = $true)]
[string]
@jaredcatkinson
jaredcatkinson / Resolve-CommandLineToFilePath.ps1
Last active February 24, 2024 15:18
Script to derive a File Path from a Command Line string
function Resolve-CommandLineToFilePath
{
<#
.SYNOPSIS
The Resolve-CommandLineToFilePath function takes an arbitrary Command Line and resolves the called application/file's path.
.PARAMETER CommandLine
The CommandLine that you want to convert to a file path.